Small security issue - Githubissues

OADA / oada-trusted-jws-js

Check if a JWS was signed by an OADA trusted party

Apache License 2.0

0 stars 0 forks source link

Small security issue #2

Closed snyff closed 4 years ago

snyff commented 4 years ago

Hi,

I discovered a tiny security issue with this package, what is the best way to report it?

Best, Louis

aultac commented 4 years ago

Thanks!! Please email details to aaron@openag.io so we can take a look.

snyff commented 4 years ago

done, the email comes from my work email: louis@pent...

dukeofdisaster commented 4 years ago

Any update on this?

aultac commented 4 years ago

Yes, thanks to @snyff for the heads up. The issue was that the library fetches the jku URL on a signature even if that signature is considered untrusted. As stated in the readme, this library is deprecated now in favor of https://github.com/oada/oada-certs. The issue has been fixed there and published.