This post delves into a very impactful JWT Authentication Bypass vulnerability (CVE-2023-30845) found in ESP-v2, an open-source service proxy that provides API management capabilities using Google Service Infrastructure. This vulnerability allows malicious API clients to bypass JWT authentication through crafty manipulation of the X-HTTP-Method-Override header under specific circumstances. The importance of this issue is highlighted by the significant market share commanded by the Google Cloud Platform (GCP), reported at 11% of the global cloud market…
