Homepage

@valtimo/components@5.6.0 vulnerabilities

  • latest version

    12.6.1

  • latest non vulnerable version

    12.7.0

  • first published

    3 years ago

  • latest version published

    15 hours ago

  • licenses detected

  • View components package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @valtimo/components package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Information Exposure Through Log Files

    Affected versions of this package are vulnerable to Information Exposure Through Log Files due to the misconfiguration of the x-jwt-token header. An attacker can retrieve personal information or execute unauthorized requests by intercepting network traffic to access the exposed token.

    Notes:

    The following conditions have to be met in order to perform this attack:

    1. An attacker needs to have access to the network traffic on the api.form.io domain.

    2. The content of the x-jwt-token header is logged or otherwise available to the attacker.

    3. An attacker needs to have network access to the Valtimo API.

    4. An attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes.

    How to fix Information Exposure Through Log Files?

    Upgrade @valtimo/components to version 10.8.4, 11.1.6, 11.2.2 or higher.

    <10.8.4>=11.0.0 <11.1.6>=11.2.0 <11.2.2
    Go back to all versions of this package