Impact
Due to a bug in validating access token, authentication is getting bypassed.
try {
this.authProvider.verifyAccessKey(username, accesskey);
} catch {
return res.response({}).code(401);
}
return res.response({}).code(200);
The function this.authProvider.verifyAccessKey
is an async function. As the code is not using await
to wait for the verification result.
Every time the function response back with success, along with an unhandled exception if the token is invalid.
Patches
try {
await this.authProvider.verifyAccessKey(username, accesskey);
} catch {
return res.response({}).code(401);
}
return res.response({}).code(200);
The patch is updated with new version v2.6.0
For more information
If you have any questions or comments about this advisory:
Impact
Due to a bug in validating access token, authentication is getting bypassed.
The function
this.authProvider.verifyAccessKey
is an async function. As the code is not usingawait
to wait for the verification result.Every time the function response back with success, along with an unhandled exception if the token is invalid.
Patches
The patch is updated with new version v2.6.0
For more information
If you have any questions or comments about this advisory: