Description
When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period.
Recommendation
Update the @digitalbazaar/zcap package to the latest compatible version. Followings are version details:
- Affected version(s): < 9.0.1
- Patched version(s): 9.0.1
References
Related Issues
- webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle - CVE-2024-43373
- CouchAuth has a Server-Side Template Injection vulnerability in its email functionality - CVE-2024-57177
- Nuxt Devtools has a Path Traversal: '../filedir - CVE-2024-23657
- Trix has a cross-site Scripting vulnerability on copy & paste - CVE-2024-43368
- Tags:
- npm
- @digitalbazaar/zcap
Anything's wrong? Let us know Last updated on April 21, 2024