A high-severity vulnerability has been identified in multiple products from the vendor Connect, which utilize the Authlib Python library for authentication services. This flaw could allow a remote attacker to bypass authentication controls, potentially leading to unauthorized access to sensitive systems and data. Organizations are urged to apply vendor patches immediately to mitigate the risk of account takeover and data compromise.

The vulnerability exists within the implementation of the OAuth and OpenID Connect protocols in the Authlib library used by Connect products. Specifically, there is an improper validation of JSON Web Token (JWT) signatures under certain conditions. An unauthenticated, remote attacker could craft a malicious JWT with a manipulated signature and send it to an affected application's endpoint, causing the library to incorrectly validate the token and grant access as a legitimate user.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a complete authentication bypass, allowing an attacker to impersonate legitimate users and gain unauthorized access to applications and the sensitive data they contain. The potential consequences include data breaches, unauthorized modification of critical information, account takeover, and elevation of privileges within the affected systems. This poses a significant risk of financial loss, reputational damage, and non-compliance with data protection regulations.

Immediate Action: Apply the security updates released by the vendor, Connect, immediately across all affected products. After patching, it is crucial to monitor systems for any signs of exploitation and thoroughly review access and authentication logs for anomalous activity that may have occurred prior to the patch application.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes scrutinizing application logs for malformed JWTs, a sudden spike in token validation errors followed by successful logins, and authentication attempts from unusual or untrusted IP addresses. Network traffic should be monitored for requests targeting authentication endpoints with abnormally structured tokens.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Deploy a Web Application Firewall (WAF) with rules specifically configured to inspect and block malformed or suspicious JWTs.
• Enforce stricter network segmentation to limit the lateral movement potential of an attacker who successfully gains access.
• Ensure Multi-Factor Authentication (MFA) is enforced on all accounts, as this can provide an additional layer of security against an attacker using a compromised token.

Public Exploit Available: false

This vulnerability represents a significant risk to the confidentiality and integrity of organizational data and systems. Due to the high severity score and the critical function of the affected authentication component, immediate action is required. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for direct impact warrants urgent attention. We strongly advise all organizations to prioritize the testing and deployment of the vendor-supplied patches to all affected systems to prevent potential unauthorized access and subsequent data compromise.