Download the PHP package wubinworks/module-jwt-auth-patch without Composer
On this page you can find all versions of the php package wubinworks/module-jwt-auth-patch. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download wubinworks/module-jwt-auth-patch
More information about wubinworks/module-jwt-auth-patch
Files in wubinworks/module-jwt-auth-patch
Package module-jwt-auth-patch
Short Description Fix the JWT authentication vulnerability on certain Magento 2 versions. Deny tokens issued by old encryption key. If you cannot upgrade Magento or cannot apply the official patch, try this one.
License OSL-3.0
Homepage https://www.wubinworks.com
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package module-jwt-auth-patch
Magento 2 JWT Authentication Patch
Fix the JWT authentication vulnerability on certain Magento 2 versions. Deny tokens issued by old encryption key. If you cannot upgrade Magento or cannot apply the official patch, try this one.
Background
In September 2024, an authentication vulnerability was revealed on multiple Magento versions and those versions are identified that a new module Magento_JwtUserToken is employed.
Tokens(especially Admin Tokens) issued by old encryption key remains valid even if a new key is added. The vulnerability is caused by a bug in the above mentioned module. Attacker who once obtained a key can have persistent Admin level WebAPI access to the victim's store.
CVE-2024-34102(aka Cosmic Sting) Secondary Disaster
By exploiting CVE-2024-34102, the attacker can steal the encryption key and craft "valid" Admin Token.
A key rotation without fixing this vulnerability cannot deny the attacker's Admin level access.
Do I really need this patch ?
If your store is already hacked or you are unsure if it is, then you should assume the encryption key is leaked. Performing an encryption key rotation is very urgent.
Rotate Encryption Key
Note1: Perform the key rotation after installing this patch(extension).
Note2: Encryption keys are stored in app/etc/env.php crypt/key path, but do not delete old keys after rotation.
- Login to Admin Panel
- Go to
System > Other Settings > Manage Encryption Key - Change
Auto-generate a KeytoYesand thenChange Encryption Key
More details, including command line methods, are in this blog post.
We also developed a tool for deployment automation purpose. Check Magento 2 Encryption Key Manager CLI.
Requirements
For affected versions only
2.4.4 ~ 2.4.4-p9
2.4.5 ~ 2.4.5-p8
2.4.6 ~ 2.4.6-p6
2.4.7 ~ 2.4.7-p1
Compatibility
This extension does not use preference.
Installation
composer require wubinworks/module-jwt-auth-patch
♥
If you like this extension please star this repository.
You May Also Like
All versions of module-jwt-auth-patch with dependencies
magento/magento2-base Version >=2.4.4 <2.4.4-p10 || >=2.4.5 <2.4.5-p9 || >=2.4.6 <2.4.6-p7 || >=2.4.7 <2.4.7-p2