Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency jsrsasign of angular-oauth2-oidc-jwks has a critical vulnerability #1061

Closed
jmac105 opened this issue Apr 15, 2021 · 8 comments · Fixed by #1072
Closed

Dependency jsrsasign of angular-oauth2-oidc-jwks has a critical vulnerability #1061

jmac105 opened this issue Apr 15, 2021 · 8 comments · Fixed by #1072
Labels
bug For tagging faulty or unexpected behavior. dependencies Pull requests that update a dependency file

Comments

@jmac105
Copy link

jmac105 commented Apr 15, 2021

Describe the bug
angular-oauth2-oidc-jwks has a dependency "jsrsasign": "^8.0.12"
CVE-2021-30246 has been published with a CVSS 3.x score of 9.1 and affects all versions of jsrsasign prior to 10.2.0

References
See https://nvd.nist.gov/vuln/detail/CVE-2021-30246 & GHSA-27fj-mc8w-j9wg

I'll try and a raise a PR to update that dependency later today as it would be great to get this resolved ASAP

@jeroenheijmans jeroenheijmans added bug For tagging faulty or unexpected behavior. dependencies Pull requests that update a dependency file labels Apr 15, 2021
@Swabo
Copy link

Swabo commented May 4, 2021

Any updates on this? I'd really appreciate this to be fixed. Or even better, are there any chances to get the implicit flow running without jsrsasign? Unfortunately there is currently no chance to use Code Flow in my project...

@jeroenheijmans
Copy link
Collaborator

No updates on any fix, but as to your other question:

any chances to get the implicit flow running without jsrsasign

Your only options will be either using the NullValidationhandler (and understand the implications of doing so) instead of JwksValidationHandler and ignore the CVE (since you're then no longer effectively using jsrsasign, or switch to code flow (I think).

@coyoteecd
Copy link
Contributor

I submitted a PR with the version bump; meanwhile, you can use the workaround described here: https://stackoverflow.com/a/62956076/26391

@Swabo
Copy link

Swabo commented May 12, 2021

@jeroenheijmans @coyoteecd thanks for the advice! I think I'll wait a few more days for the PR to be merged as I'm not aware of all the breaking changes between two major versions of jsrsasign and their implications on angular-oauth2-oidc.

@jeroenheijmans
Copy link
Collaborator

FWIW I can confirm that my production application has pinned (in package-lock.json) jsrsasign on 10.2.0+ and runs smoothly with it so far.

@bschnabel
Copy link

I just updated angular-oauth2-oidc to version 12.0.1 from previously 9.x. When running npm install I get

npm WARN angular-oauth2-oidc@12.0.1 requires a peer of @angular/core@>=12.0.0 but none is installed. You must install peer dependencies yourself.

On the other hand in the readme it states:

Angular 12: Use 12.x versions of this library (should also work with older Angular versions!).
Angular 11: Use 10.x versions of this library (should also work with older Angular versions!).
Angular 10: Use 10.x versions of this library (should also work with older Angular versions!).
Angular 9: Use 9.x versions of this library (should also work with older Angular versions!).

what sounds to me like version 12.x of the library should also work with older Versions of Angular (I'm using 9.x)

So can I just ignore the npm warning? my do you have angular >= 12 as a requirement if you say it should also work with older versions?

@bschnabel
Copy link

answered in #1111

@leogouveia
Copy link

Is there any news about this issue?
This bug continues in version 17.0.0.
#1111 was closed as it is refers to version 12.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug For tagging faulty or unexpected behavior. dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants