@digitalbazaar/zcap@7.2.2 vulnerabilities

Authorization Capabilities reference implementation.

Direct Vulnerabilities

Known vulnerabilities in the @digitalbazaar/zcap package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Insufficient Session Expiration

@digitalbazaar/zcap is an Authorization Capabilities reference implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to incomplete expiration checks in capability chains. When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period. However, a zcap still cannot be invoked without being able to use the associated private key material.

How to fix Insufficient Session Expiration?

Upgrade @digitalbazaar/zcap to version 9.0.1 or higher.

<9.0.1