PT-2020-21475 — Improper Authorization in Sap @Sap-Cloud-Sdk/Core

PT-2020-21475 · Sap · @Sap-Cloud-Sdk/Core

Published

2020-09-03

Updated

2020-09-03

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions @sap-cloud-sdk/core versions prior to 1.21.2

Description The issue concerns improper validation of JWTs in the affected software. Specifically, the verifyJwt() function does not correctly validate the URL from which the public verification key for the JWT is downloaded, trusting any provided URL. This makes it possible to manipulate the JWT by providing a URL belonging to it.

Recommendations Upgrade to version 1.21.2 or later.

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

GHSA-R2VW-JGQ9-JQX2

Affected Products

@Sap-Cloud-Sdk/Core

PT-2020-21475 · Sap · @Sap-Cloud-Sdk/Core

Weakness Enumeration

Related Identifiers

Affected Products

References · 2