CVE-2018-11537: Security Update for angular-jwt Allow List Bypass
Published: June 5, 2018
CVE number: CVE-2018-11537
Credit: Stephan Hauser
Overview
The domain allowlisting feature can be bypassed. For example, if the setting is initialized with:
jwtInterceptorProvider.whiteListedDomains = ['whitelisted.Example.com'];
An attacker can set up a domain whitelistedXexample.com
that will pass the allow list filter. The root cause for this is that angular-jwt
always treats whiteListedDomains
entries as regular expressions and causes .
separator to match any character.
Am I affected?
If the following apply you are affected by this vulnerability:
You use a version of angular-jwt lower than
0.1.10
You use domain allow listing in your code
How to fix that?
Developers using the angular-jwt library need to upgrade to the latest version: 0.1.10
.
Updated package is available on NPM: npm install angular-jwt@0.1.10
To make it easier to keep up with security updates in the future, please make sure your package.json
file is updated to take patch and minor level updates of our libraries:
{
"dependencies": {
"angular-jwt": "^0.1.10"
}
}
Was this helpful?
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.