dendi-wang/thingsboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
thingsboard/ui/node_modules/angular-jwt/SECURITY-NOTICE.md
Artem Halushko f8af340464 pulled with master
2020-05-19 11:43:42 +03:00

1.2 KiB
Raw Blame History

Security vulnerability details for angular-jwt < 0.1.10

  1. Domain whitelisting bypass

Domain whitelisting bypass

Description

The domain whitelisting feature can be bypassed. For example, if the setting is initialized with

jwtInterceptorProvider.whiteListedDomains = ['whitelisted.Example.com'];

An attacker can set up a domain whitelistedXexample.com that will pass the whitelist filter. The root cause for this is that angular-jwt always treats whiteListedDomains entries as regular expressions and causes . separator to match any character.

Mitigation

Updated package is available on NPM:

$ npm install angular-jwt@0.1.10

To make it easier to keep up with security updates in the future, please make sure your package.json file is updated to take patch and minor level updates of our libraries:

{
  "dependencies": {
    "angular-jwt": "^0.1.10"
  }
}

Upgrade notes

  1. This fix patches your application but has no impact on your data or user sessions.

References

  1. CVE-2018-11537

Credits

  • Stephan Hauser