[🐸 Frogbot] Update version of jsonwebtoken to 9.0.0

[MaharshiPatel]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	Applicable	jsonwebtoken:8.5.1	jsonwebtoken 8.5.1	[9.0.0]	CVE-2022-23539

🔬 Research Details

Description:
jsonwebtoken is a JSON Web Token (JWT) implementation for Node.js.
It allows verifying/signing JWTs, which are mainly used for authorization and authentication purposes.

JSON Web Token is an open industry standard used to share information between two entities, usually a client (like your app’s frontend) and a server (your app’s backend).
Each JWT is also signed using cryptography (hashing) to ensure that the JSON contents (also known as JWT claims) cannot be altered by the client or a malicious party.

It was discovered that the jwt.sign() and jwt.verify() functions in jsonwebtoken didn't check the key type and algorithm, which might lead to the usage of insecure key algorithms and could result in a signature brute force and bypass.
For example, a legacy DSA key could be used in practice, while passing any other algorithm in the alg argument for jwt.sign() or jwt.verify().

The issue requires an old legacy key type to be used with an algorithm that doesn't match it, weakening the verification process's security, which is rare.

A malicious attacker could try to break a JWT signature that uses this weak key type and algorithm combination, and by doing so change its payload without the verifier noticing.
When using the JWT for authentication purposes - this may lead to an authentication bypass.

A new option named allowInvalidAsymmetricKeyTypes could be passed after updating to the fixed version in order to allow backward compatibility and essentially bypass the fix.

Refer to the advisory for the list of allowed and supported key types and algorithm combinations.

---

🐸 JFrog Frogbot