CVE-2024-31995 Information

Apr 11, 2024 cve

Description

@digitalbazaar/zcap provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1 when invoking a capability with a chain depth of 2 i.e. it is delegated directly from the root capability the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material. @digitalbazaar/zcap v9.0.1 fixes expiration checking. As a workaround one may revoke a zcap at any time.

Reference

https://github.com/digitalbazaar/zcap/security/advisories/GHSA-hp8h-7x69-4wmv https://github.com/digitalbazaar/zcap/pull/82 https://github.com/digitalbazaar/zcap/commit/261eea040109b6e25159c88d8ed49d3c37f8fcfe https://github.com/digitalbazaar/zcap/commit/55f8549c80124b85dfb0f3dcf83f2c63f42532e5

Share on: