GMS-2020-37: Improper Authorization in @sap-cloud-sdk/core

September 3, 2020 (updated October 4, 2021)

Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt() function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT. Upgrade to or later.

References

github.com/advisories/GHSA-r2vw-jgq9-jqx2
www.npmjs.com/advisories/1540

Code Behaviors & Features

Detect and mitigate GMS-2020-37 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →