[Snyk] Security upgrade hapi-auth-jwt2 from 7.0.1 to 10.7.0 #22
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-COOKIE-8163060
![semgrepcode-auth0[bot]](https://avatars.githubusercontent.com/u/2824157?s=60&v=4){kind=small}
| @@ -4366,6 +4662,38 @@ jsonwebtoken@^8.1.0: | |||
| ms "^2.1.1" | |||
| xtend "^4.0.1" | |||
|
|
|||
| jsonwebtoken@^8.3.0, jsonwebtoken@^8.5.1: | |||
There was a problem hiding this comment.
Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm
Fix: Upgrade this library to at least version 9.0.0 at auth0-account-link-extension/yarn.lock:4665.
Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539
Ignore this finding from ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e.
| @@ -4323,6 +4608,17 @@ jsonify@~0.0.0: | |||
| version "0.0.0" | |||
| resolved "https://registry.yarnpkg.com/jsonify/-/jsonify-0.0.0.tgz#2c74b6ee41d93ca51b7b5aaee8f503631d252a73" | |||
|
|
|||
| jsonwebtoken@7.1.9: | |||
There was a problem hiding this comment.
Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm
Fix: Upgrade this library to at least version 9.0.0 at auth0-account-link-extension/yarn.lock:4611.
Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539
Ignore this finding from ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e.
| @@ -4366,6 +4662,38 @@ jsonwebtoken@^8.1.0: | |||
| ms "^2.1.1" | |||
| xtend "^4.0.1" | |||
|
|
|||
| jsonwebtoken@^8.3.0, jsonwebtoken@^8.5.1: | |||
There was a problem hiding this comment.
Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.
Fix: Upgrade this library to at least version 9.0.0 at auth0-account-link-extension/yarn.lock:4665.
Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541
Ignore this finding from ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f.
| @@ -4323,6 +4608,17 @@ jsonify@~0.0.0: | |||
| version "0.0.0" | |||
| resolved "https://registry.yarnpkg.com/jsonify/-/jsonify-0.0.0.tgz#2c74b6ee41d93ca51b7b5aaee8f503631d252a73" | |||
|
|
|||
| jsonwebtoken@7.1.9: | |||
There was a problem hiding this comment.
Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.
Fix: Upgrade this library to at least version 9.0.0 at auth0-account-link-extension/yarn.lock:4611.
Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541
Ignore this finding from ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f.
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-COOKIE-8163060
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)