GMS-2021-30: Verification flaw in Solid identity-token-verifier
Any Pod on a Solid server using a vulnerable version of the identity-token-verifier library is at risk of a spoofed Demonstration of Proof-of-Possession (DPoP) token binding. This vulnerability could give total and complete access to a targeted Pod.
References
- github.com/advisories/GHSA-xmh9-rg6f-j3mr
- github.com/solid/identity-token-verifier/commit/fbdeb4aa8c12694b3744cd0454acb826817d9e6c
- github.com/solid/identity-token-verifier/releases/tag/0.5.2
- github.com/solid/identity-token-verifier/security/advisories/GHSA-xmh9-rg6f-j3mr
- www.npmjs.com/package/@solid/identity-token-verifier
Code Behaviors & Features
Detect and mitigate GMS-2021-30 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →