UNPKG

angular-jwt

Version:

Library to help you work with JWTs on AngularJS

github.com/auth0/angular-jwt

auth0/angular-jwt

46 lines (28 loc) 1.27 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Security vulnerability details for angular-jwt < 0.1.10 1. [Domain whitelisting bypass](#domain-whitelisting-bypass) ## Domain whitelisting bypass ### Description The [domain whitelisting](https://github.com/auth0/angular-jwt#whitelisting-domains) feature can be bypassed. For example, if the setting is initialized with ```js jwtInterceptorProvider.whiteListedDomains = ['whitelisted.Example.com']; ``` An attacker can set up a domain `whitelistedXexample.com` that will pass the whitelist filter. The root cause for this is that `angular-jwt` always treats `whiteListedDomains` entries as regular expressions and causes `.` separator to match any character. ### Mitigation Updated package is available on [NPM](https://npmjs.com): ```bash $ npm install angular-jwt@0.1.10 ``` To make it easier to keep up with security updates in the future, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries: ```json { "dependencies": { "angular-jwt": "^0.1.10" } } ``` ### Upgrade notes 1. This fix patches your application but has no impact on your data or user sessions. ### References 1. [CVE-2018-11537](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11537) ### Credits - Stephan Hauser