Local Storage seems to be disabled in your browser.
For the best experience on our site, be sure to turn on Local Storage in your browser.

Build your own Magento store from $500/mo Check Now

Magento 2 JWT Authentication Patch

$0.00
Available
SKU
jwt-auth-patch

Fix the JWT authentication vulnerability on certain Magento 2 versions. Deny tokens issued by old encryption key. If you cannot upgrade Magento or cannot apply the official patch, try this one.

Details

Magento 2 JWT Authentication Patch

Fix the JWT authentication vulnerability on certain Magento 2 versions. Deny tokens issued by old encryption key. If you cannot upgrade Magento or cannot apply the official patch, try this one.

Wubinworks Magento 2 JWT Authentication Patch

Background

In September 2024, an authentication vulnerability was revealed on multiple Magento versions and those versions are identified that a new module Magento_JwtUserToken is employed.

Tokens(especially Admin Tokens) issued by old encryption key remains valid even if a new key is added. The vulnerability is caused by a bug in the above mentioned module. Attacker who once obtained a key can have persistent Admin level WebAPI access to the victim's store.

CVE-2024-34102(aka Cosmic Sting) Secondary Disaster

By exploiting CVE-2024-34102, the attacker can steal the encryption key and craft "valid" Admin Token.
A key rotation without fixing this vulnerability cannot deny the attacker's Admin level access.

Do I really need this patch ?

If your store is already hacked or you are unsure if it is, then you should assume the encryption key is leaked. Performing an encryption key rotation is very urgent.

Rotate Encryption Key

Note1: Perform the key rotation after installing this patch(extension).
Note2: Encryption keys are stored in app/etc/env.php crypt/key path, but do not delete old keys after rotation.

  • Login to Admin Panel
  • Go to System > Other Settings > Manage Encryption Key
  • Change Auto-generate a Key to Yes and then Change Encryption Key

More details, including command line methods, are in this blog post.

We also developed a tool for deployment automation purpose. Check Magento 2 Encryption Key Manager CLI.

Requirements

For affected versions only

2.4.4 ~ 2.4.4-p9
2.4.5 ~ 2.4.5-p8
2.4.6 ~ 2.4.6-p6
2.4.7 ~ 2.4.7-p1

Compatibility

This extension does not use preference.

Installation

composer require wubinworks/module-jwt-auth-patch

If you like this extension please star this repository.

You May Also Like

Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)

Magento 2 Encryption Key Manager CLI

Extension Support

We provide:

  • Installation/Upgrade
  • Configuration
  • Add custom feature
  • Resolve conflict
  • And more

For service details, please refer to Magento Technical Support Service.

Note we require credentials that have privilege to access your Admin Panel, code base and restart services. We can also use git.

Source Code

https://github.com/wubinworks/magento2-jwt-auth-patch

Report Issue

100% FREE and 100% Open Code. No registration required.

Installation

composer require wubinworks/module-jwt-auth-patch

License

  • OSL-3.0 License
Recommended