Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security - Upgrade @octokit/auth-app from 4.0.7 to 4.0.9 to Address CVEs #62

Closed
wants to merge 1 commit into from
Closed

Security - Upgrade @octokit/auth-app from 4.0.7 to 4.0.9 to Address CVEs #62

wants to merge 1 commit into from

Conversation

kj4ezj
Copy link

@kj4ezj kj4ezj commented Jan 25, 2023

This pull request attempts to address the following four CVEs by upgrading the minimum required version of @octokit/auth-app from v4.0.7 to v4.0.9, which implicitly upgrades jsonwebtoken to version 9.

  • CVE-2022-23529 - jsonwebtoken has insecure input validation in jwt.verify function
  • CVE-2022-23539 - jsonwebtoken unrestricted key type could lead to legacy keys usage
  • CVE-2022-23540 - jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
  • CVE-2022-23541 - jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

See Also

This was referenced Jan 25, 2023
Merged
Closed
@tibdex tibdex mentioned this pull request Jan 26, 2023
Merged
@tibdex tibdex closed this in #64 Jan 26, 2023
@kj4ezj kj4ezj deleted the zach-jsonwebtoken branch January 27, 2023 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kj4ezj