Vulnerability	Vulnerable Version
M Insufficient Session Expiration @digitalbazaar/zcap is an Authorization Capabilities reference implementation. Affected versions of this package are vulnerable to Insufficient Session Expiration due to incomplete expiration checks in capability chains. When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked against the current date or other `date` param. This can allow invocations outside of the original intended time period. However, a zcap still cannot be invoked without being able to use the associated private key material. How to fix Insufficient Session Expiration? Upgrade `@digitalbazaar/zcap` to version 9.0.1 or higher.	<9.0.1

Insufficient Session Expiration

@digitalbazaar/zcap is an Authorization Capabilities reference implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to incomplete expiration checks in capability chains. When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period. However, a zcap still cannot be invoked without being able to use the associated private key material.

How to fix Insufficient Session Expiration?

Upgrade @digitalbazaar/zcap to version 9.0.1 or higher.

<9.0.1

Go back to all versions of this package