Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Upgrade jsonwebtoken to address CVE-2022-23540 #5116

Merged
merged 2 commits into from
Jan 13, 2023
Merged

fix: Upgrade jsonwebtoken to address CVE-2022-23540 #5116

merged 2 commits into from
Jan 13, 2023

Conversation

netroy
Copy link
Member

@netroy netroy commented Jan 9, 2023

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Jan 9, 2023
@netroy netroy force-pushed the CVE-2022-23540-jsonwebtoken branch from ad8c8d7 to 8240fe0 Compare January 12, 2023 10:03
krynble
krynble approved these changes Jan 13, 2023
View reviewed changes
Copy link
Contributor

@krynble krynble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. What happens to logged in users? It's ok of they are forced to relogin, I just wouldn't like to see them face an error and be forced to clean cookies.

@netroy
Copy link
Member Author

netroy commented Jan 13, 2023

we've always use HS256 for signing. so this doesn't change anything for existing tokens. This change just prevents someone from bypassing auth verification by sending a token signed with the "none" algorithm.

@netroy netroy merged commit 97969fc into master Jan 13, 2023
@netroy netroy deleted the CVE-2022-23540-jsonwebtoken branch January 13, 2023 17:25
@n8n-assistant n8n-assistant bot added the Upcoming Release Will be part of the upcoming release label Jan 13, 2023
MiloradFilipovic added a commit that referenced this pull request Jan 16, 2023
@MiloradFilipovic
Merge branch 'master' into ado-6-ndv-simplify-credentials
24d3cac 
* master: (38 commits)
  📚 Add warning about latest version
  fix: Upgrade `jsonwebtoken` to address CVE-2022-23540 (#5116)
  refactor: Upgrade typeorm to 0.3.x (#5151)
  refactor(core): Remove linting exceptions in nodes-base (no-changelog) (#4944)
  📚 Update CHANGELOG.md and main package.json to 0.211.0
  🔖 Release n8n@0.211.0
  ⬆️ Set n8n-core@0.151.0, n8n-editor-ui@0.177.0, n8n-nodes-base@0.209.0 and n8n-workflow@0.133.0 on n8n
  🔖 Release n8n-editor-ui@0.177.0
  ⬆️ Set n8n-design-system@0.51.0 and n8n-workflow@0.133.0 on n8n-editor-ui
  🔖 Release n8n-design-system@0.51.0
  🔖 Release n8n-nodes-base@0.209.0
  ⬆️ Set n8n-core@0.151.0 and n8n-workflow@0.133.0 on n8n-nodes-base
  🔖 Release n8n-node-dev@0.90.0
  ⬆️ Set n8n-core@0.151.0 and n8n-workflow@0.133.0 on n8n-node-dev
  🔖 Release n8n-core@0.151.0
  ⬆️ Set n8n-workflow@0.133.0 on n8n-core
  🔖 Release n8n-workflow@0.133.0
  fix(PayPal  Trigger Node): Omit verification on sandbox env (#5150)
  fix(core): Throw error in UI on expression referencing missing node but do not fail execution (#5158)
  fix(Zoom Node): Add notice about deprecation of Zoom JWT app support (#5156)
  ...

# Conflicts:
#	packages/editor-ui/src/constants.ts
@janober
Copy link
Member

janober commented Jan 16, 2023

Got released with n8n@0.211.1

@janober janober removed the Upcoming Release Will be part of the upcoming release label Jan 16, 2023
@netroy netroy mentioned this pull request Feb 28, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krynble krynble krynble approved these changes

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netroy @janober @krynble