Homepage
About Snyk

Access Restriction Bypass Affecting angular-jwt package, versions <0.1.10

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.14% (51st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:angular-jwt:20180605
  • published 16 Aug 2018
  • disclosed 5 Jun 2018
  • credit Stephan Hauser
Report a new vulnerability Found a mistake?

Introduced: 5 Jun 2018

CVE-2018-11537 Open this link in a new tab
CWE-284 Open this link in a new tab

How to fix?

Upgrade angular-jwt to version 0.1.10 or higher.

Overview

angular-jwt is a library to help you work with JWTs.

Affected versions of this package are vulnerable to Access Restriction Bypass. Due to treating whiteListedDomains entries as regular expressions, An attacker with knowledge of the jwtInterceptorProvider.whiteListedDomains setting could bypass the domain whitelist filter via a crafted domain.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
6.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None