GHSA-r2vw-jgq9-jqx2

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Improper Authorization in @sap-cloud-sdk/core

Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt() function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT.

Recommendation

Upgrade to version 1.21.2 or later.

Ссылки

https://www.npmjs.com/advisories/1540

Пакеты

Наименование

@sap-cloud-sdk/core

npm

Затронутые версииВерсия исправления

>= 1.19.0, < 1.21.2

1.21.2

Дефекты

CWE-285

Дефекты

CWE-285