CVE-2024-31995: zcap has incomplete expiration checks in capability chains.
When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material.
References
- github.com/advisories/GHSA-hp8h-7x69-4wmv
- github.com/digitalbazaar/zcap
- github.com/digitalbazaar/zcap/commit/261eea040109b6e25159c88d8ed49d3c37f8fcfe
- github.com/digitalbazaar/zcap/commit/55f8549c80124b85dfb0f3dcf83f2c63f42532e5
- github.com/digitalbazaar/zcap/pull/82
- github.com/digitalbazaar/zcap/security/advisories/GHSA-hp8h-7x69-4wmv
- nvd.nist.gov/vuln/detail/CVE-2024-31995
Detect and mitigate CVE-2024-31995 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →