json-jwt allows bypass of identity checks via a sign/encryption

[Shoaib19]

I am getting the error is it resolved in 1.16.6?

The json-jwt (aka JSON::JWT) gem versions 1.16.5 and below sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass
JSON::JWT.decode.

[bramn]

Not according to bundle-audit:

ruby-advisory-db:
  advisories:	877 advisories
  last updated:	2024-03-02 13:38:12 -0800
  commit:	973ee9391883d41454c48851116c774f1bfc78c8
Name: json-jwt
Version: 1.16.6
CVE: CVE-2023-51774
GHSA: GHSA-c8v6-786g-vjx6
Criticality: Unknown
URL: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md
Title: json-jwt allows bypass of identity checks via a sign/encryption confusion attack
Solution: remove or disable this gem until a patch is available!```

[nov]

#118 (comment)

[Shoaib19]

@nov Yeah I see but the bundle audit still producing the warning CI run it for verification, can you also fix that?

[nov]

I have no idea how to fix that.

[annettemccullough]

Has v1.16.6 be released, I don't see it in https://github.com/nov/json-jwt/releases

[Shoaib19]

@annettemccullough here it is
https://rubygems.org/gems/json-jwt/versions/1.16.6

[Shoaib19]

The issue has been resolved by this PR #3876
just need to update the gem to 1.16.6 or later.