CVE-2021-41106: 
PHP vulnerability analysis and mitigation

JWT is a library for working with JSON Web Token and JSON Web Signature. The vulnerability CVE-2021-41106 was discovered and disclosed on September 28, 2021, affecting versions >=3.4.0,<3.4.6, >=4.0.0,<4.0.4, and >=4.1.0,<4.1.5 of the lcobucci/jwt package. The issue involves incorrect handling of HMAC-based algorithms (HS256, HS384, and HS512) when used with LocalFileReference as key (GitHub Advisory).

The vulnerability occurs when HMAC-based algorithms are combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key. In these cases, tokens are issued and validated using the file path as the hashing key instead of the actual file contents. The HMAC hashing functions accept any string as input, which leads users to believe everything works properly when it actually doesn't. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) by NVD and 4.4 (MEDIUM) by GitHub (NVD).

The impact of this vulnerability is that tokens may be incorrectly signed and validated when using HMAC-based algorithms with LocalFileReference as the key. This could potentially lead to authentication issues as the system uses incorrect key material (file paths instead of file contents) for cryptographic operations (GitHub Advisory).

The issue has been patched in versions 3.4.6, 4.0.4, and 4.1.5. The fix includes always loading file contents, deprecating the Lcobucci\JWT\Signer\Key\LocalFileReference class, and suggesting Lcobucci\JWT\Signer\Key\InMemory as the alternative. As a workaround, users should use Lcobucci\JWT\Signer\Key\InMemory instead of Lcobucci\JWT\Signer\Key\LocalFileReference to create key instances (GitHub Advisory).