CVE-2018-11537: Security Update for angular-jwt Allow List Bypass
Published: June 5, 2018
CVE number: CVE-2018-11537
Credit: Stephan Hauser
Overview
The domain allowlisting feature can be bypassed. For example, if the setting is initialized with:
jwtInterceptorProvider.whiteListedDomains = ['whitelisted.Example.com'];
An attacker can set up a domain whitelistedXexample.com
that will pass the allow list filter. The root cause for this is that angular-jwt
always treats whiteListedDomains
entries as regular expressions and causes .
separator to match any character.
Am I affected?
If the following apply you are affected by this vulnerability:
You use a version of angular-jwt lower than
0.1.10
You use domain allow listing in your code
How to fix that?
Developers using the angular-jwt library need to upgrade to the latest version: 0.1.10
.
Updated package is available on NPM: npm install angular-jwt@0.1.10
To make it easier to keep up with security updates in the future, please make sure your package.json
file is updated to take patch and minor level updates of our libraries:
{
"dependencies": {
"angular-jwt": "^0.1.10"
}
}
feedbackSection.helpful
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.