Latest version appears vulnerable to CVE-2021-30246

[peelybgl]

We've recently seen an NPM advisory for a critical dependency issue relating to jsrsasign, https://www.npmjs.com/advisories/1672.

We use release 1.5.4 of oidc-client-js, and the advisory suggests we update to release 1.11.5 (latest). However, while trying to determine what the impact of this vulnerability was to us, we stubmled across this file https://github.com/IdentityModel/oidc-client-js/blob/dev/jsrsasign/header.js, which suggest that sometime in the past the jsrsasign dependency was brought "in-house", and at version 8.0.12 (There are commits that suggest this also).

Which would mean that, while the latest version of oidc-client-js does not have jsrsasign in its list of dependencies (And so does not flag dependabot or npm audit), it does still depend on it, and on an old version, so it is still vulnerable to this security issue.

Would you agree that is a fair assessment? We are trying to work out what I we need to to stop being vulnerable to this issue.

[andrei-kuzmin-godel]

Hello there, we're in the same position.
Any updates on this one?

Thanks!

[brockallen]

Isn't this a dup of an older issue?

[peelybgl]

Not that I could see @brockallen , I've just had a read of the titles of the 79 open issues and none jump out at me, and i'm not sure I can read all 1000 closed issues 😅

[peelybgl]

Any further thoughts on this @brockallen ?

[brockallen]

I believe this was the issue I was speaking of: #743

[peelybgl]

No, that is not the same issue (Or I am really misunderstanding). My issue is more of a question (As you have now labeled it), forget the NPM audit stuff for a moment.

First, a CVE exists which states that any version of jsrsasign before 10.2.0 is vulnerable.

Looking at the oidc-client-js source code, I find this file which appears to import jsrsasign from a local file, not from an NPM package.

That local file states at the top of it that it is version 8.0.12. Which would make the built version of oidc-client-js vulnerable to the CVE

Looking at the package.json shows that jsrsasign is now in the devDependencies (Which is why the latest version of oidc-client-js does not trigger the NPM audit warning), but that version is still vulnerable and, more importantly, only ever required in a sample

So yes, I guess my question is "NPM audit thinks everything is fine, but I don't think that is true, looking at what i've found do you agree with me, or am I wrong?" And if I am right, then, my issue is can we update the jsrsasign in ./oidc-client-js/jsrsasign/dist to the latest version to plug the CVE?

[brockallen]

I'm happy to accept a working PR for this. The reason we have a copy is due to the lack of molecularity of that package and how heavy weight it is. So how we pull it in is to break it apart. So no idea if what's vulnerable from it is actually included in what we use.

[sk222sw]

jsrsasign removed the vulnerabilities a few years ago according to their changelog and this file

But please correct me if I'm wrong, cause my team is also looking into this :)