From 919da3696668a07c6810dfa39301950c81c2eba4 Mon Sep 17 00:00:00 2001
From: Pritha Srivastava <prsrivas@redhat.com>
Date: Tue, 5 Nov 2024 12:03:00 +0530
Subject: [PATCH] [CVE-2024-48916] rgw/sts: fix to disallow unsupported JWT
 algorithms while authenticating AssumeRoleWithWebIdentity using JWT obtained
 from an external IDP.

fixes: https://tracker.ceph.com/issues/68836

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---
 src/rgw/rgw_rest_sts.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
index f2bd9429a55..1101da0af3c 100644
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -436,6 +436,9 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec
                               .allow_algorithm(jwt::algorithm::ps512{cert});
 
                 verifier.verify(decoded);
+              } else {
+                ldpp_dout(dpp, 0) << "Unsupported algorithm: " << algorithm << dendl;
+                throw -EINVAL;
               }
             } catch (std::runtime_error& e) {
               ldpp_dout(dpp, 0) << "Signature validation failed: " << e.what() << dendl;
-- 
2.39.5