Homepage

dev.dsf:dsf-bpe-server@1.1.0

  • latest version

    1.9.0

  • first published

    2 years ago

  • latest version published

    6 months ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the dev.dsf:dsf-bpe-server package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Insufficient Session Expiration

    Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by using the same browser after the original user has logged in and left the session active.

    How to fix Insufficient Session Expiration?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • M
    Always-Incorrect Control Flow Implementation

    Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by exploiting the improper cache validation logic.

    How to fix Always-Incorrect Control Flow Implementation?

    Upgrade dev.dsf:dsf-bpe-server to version 2.1.0 or higher.

    [,2.1.0)
    Go back to all versions of this package