CVE-2021-32738: Improper Authentication
(updated )
js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The Utils.readChallengeTx
function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the serverAccountID
has signed the transaction. In js-stellar-sdk, the function does not verify that the server has signed the transaction. Applications that also used Utils.verifyChallengeTxThreshold
or Utils.verifyChallengeTxSigners
to verify the signatures including the server signature on the challenge transaction are unaffected as those functions verify the server signed the transaction. Applications calling Utils.readChallengeTx
should update to, the first version with a patch for this vulnerability, to ensure that the challenge transaction is completely valid and signed by the server creating the challenge transaction.
References
Detect and mitigate CVE-2021-32738 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →