CVE-2024-31995

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-31995

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-31995.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-31995

Aliases

GHSA-hp8h-7x69-4wmv

Related

GHSA-hp8h-7x69-4wmv

Published

2024-04-10T22:15:07Z

Modified

2025-01-08T16:01:12.632407Z

Summary

[none]

Details

@digitalbazaar/zcap provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material. @digitalbazaar/zcap v9.0.1 fixes expiration checking. As a workaround, one may revoke a zcap at any time.

References

Affected packages

Git / github.com/digitalbazaar/zcap

Affected ranges

Type: GIT
Repo: https://github.com/digitalbazaar/zcap
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

261eea040109b6e25159c88d8ed49d3c37f8fcfe

Fixed

261eea040109b6e25159c88d8ed49d3c37f8fcfe

Fixed

55f8549c80124b85dfb0f3dcf83f2c63f42532e5

Fixed

55f8549c80124b85dfb0f3dcf83f2c63f42532e5

Affected versions

v0.*

v0.1.0

v0.1.1-0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.4.0

v1.5.0

v1.5.1

v1.6.0

v1.6.1

v1.7.0

v1.8.0

v2.*

v2.0.0

v3.*

v3.0.0

v3.1.0

v3.1.1

v4.*

v4.0.0

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.2.0

v6.*

v6.0.0

v7.*

v7.0.0

v7.0.1

v7.1.0

v7.2.0

v7.2.1

v7.2.2

v8.*

v8.0.0

v9.*

v9.0.0