Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
zcap has incomplete expiration checks in capability chains.
Vulnerability Description
`@digitalbazaar/zcap` provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked against the current date or other `date` param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material. `@digitalbazaar/zcap` v9.0.1 fixes expiration checking. As a workaround, one may revoke a zcap at any time.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
不充分的会话过期机制
Vulnerability Title
zcap 安全漏洞
Vulnerability Description
zcap是Digital Bazaar开源的一个链接数据功能参考实施库。 zcap v9.0.1之前版本存在安全漏洞,该漏洞源于 Incomplete expiration 中的过期检查存在安全问题,允许在预期时间段之外进行调用。
CVSS Information
N/A
Vulnerability Type
N/A