[CVE-2024-48916] rgw/sts: fix to disallow unsupported JWT algorithms

author Pritha Srivastava <prsrivas@redhat.com>

Tue, 5 Nov 2024 06:33:00 +0000 (12:03 +0530)

committer Adam Emerson <aemerson@redhat.com>

Wed, 5 Mar 2025 15:48:59 +0000 (10:48 -0500)
author Pritha Srivastava <prsrivas@redhat.com>
Tue, 5 Nov 2024 06:33:00 +0000 (12:03 +0530)
committer Adam Emerson <aemerson@redhat.com>
Wed, 5 Mar 2025 15:48:59 +0000 (10:48 -0500)
diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc

index b9c23aa159c2665e3066cf74d5270fd501bbf6b3..2ceb30f589e02c9215af0ad9aa4c039380d13292 100644 (file)
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -437,6 +437,9 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec
                                .allow_algorithm(jwt::algorithm::ps512{cert});
  
                  verifier.verify(decoded);
+              } else {
+                ldpp_dout(dpp, 0) << "Unsupported algorithm: " << algorithm << dendl;
+                throw -EINVAL;
                }
              } catch (std::runtime_error& e) {
                ldpp_dout(dpp, 0) << "Signature validation failed: " << e.what() << dendl;
author	Pritha Srivastava <prsrivas@redhat.com>
	Tue, 5 Nov 2024 06:33:00 +0000 (12:03 +0530)
committer	Adam Emerson <aemerson@redhat.com>
	Wed, 5 Mar 2025 15:48:59 +0000 (10:48 -0500)