Impact
Due to a bug in validating access token, authentication is getting bypassed.
try {
this.authProvider.verifyAccessKey(username, accesskey);
} catch {
return res.response({}).code(401);
}
return res.response({}).code(200);
The function this.authProvider.verifyAccessKey is an async function. As the code is not using await to wait for the verification result.
Every time the function response back with success, along with an unhandled exception if the token is invalid.
Patches
try {
await this.authProvider.verifyAccessKey(username, accesskey);
} catch {
return res.response({}).code(401);
}
return res.response({}).code(200);
The patch is updated with new version v2.6.0
For more information
If you have any questions or comments about this advisory:
Impact
Due to a bug in validating access token, authentication is getting bypassed.
The function
this.authProvider.verifyAccessKeyis an async function. As the code is not usingawaitto wait for the verification result.Every time the function response back with success, along with an unhandled exception if the token is invalid.
Patches
The patch is updated with new version v2.6.0
For more information
If you have any questions or comments about this advisory: