Describe the Bug
Last week, this vulnerability was published and fixed in jose:
"A vulnerability in jose versions up to and including 0.3.5 could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk)
....
Patches
Upgrade to 0.3.5+1 or later.
Workarounds
Reject tokens where header jwk is present unless that jwk matches a key already present in the application's trusted key store."
See GHSA-vm9r-h74p-hg97
gl
flutter pub get
...
jose 0.3.5 (affected by advisory: [^0], 0.3.5+2 available)
...
Success criteria
[Add any other context about the problem here.]
App Version: solidpod 0.12.2
Closing Criteria
Checklist for closing the issue:
Describe the Bug
Last week, this vulnerability was published and fixed in jose:
"A vulnerability in jose versions up to and including 0.3.5 could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk)
....
Patches
Upgrade to 0.3.5+1 or later.
Workarounds
Reject tokens where header jwk is present unless that jwk matches a key already present in the application's trusted key store."
See GHSA-vm9r-h74p-hg97
Success criteria
[Add any other context about the problem here.]
App Version: solidpod 0.12.2
Closing Criteria
Checklist for closing the issue:
make prepmake qtest