From: Pritha Srivastava <prsrivas@redhat.com>
Date: Tue, 5 Nov 2024 06:33:00 +0000 (+0530)
Subject: [CVE-2024-48916] rgw/sts: fix to disallow unsupported JWT algorithms
X-Git-Tag: testing/wip-khiremat-testing-20250306.135557-reef-debug~15^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=6dddeccd52e5d2440beb8248a905a0588666e6d1;p=ceph-ci.git

[CVE-2024-48916] rgw/sts: fix to disallow unsupported JWT algorithms
while authenticating AssumeRoleWithWebIdentity using JWT obtained
from an external IDP.

fixes: https://tracker.ceph.com/issues/68836

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit 919da3696668a07c6810dfa39301950c81c2eba4)
---

diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
index 09f77f61d5f..23328236ab9 100644
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -444,6 +444,9 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec
                               .allow_algorithm(jwt::algorithm::ps512{cert});
 
                 verifier.verify(decoded);
+              } else {
+                ldpp_dout(dpp, 0) << "Unsupported algorithm: " << algorithm << dendl;
+                throw -EINVAL;
               }
             } catch (std::runtime_error& e) {
               ldpp_dout(dpp, 0) << "Signature validation failed: " << e.what() << dendl;