CVE-2024-31995

{"id": "CVE-2024-31995", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-04-10T22:15:07.340", "references": [{"url": "https://github.com/digitalbazaar/zcap/commit/261eea040109b6e25159c88d8ed49d3c37f8fcfe", "source": "security-advisories@github.com"}, {"url": "https://github.com/digitalbazaar/zcap/commit/55f8549c80124b85dfb0f3dcf83f2c63f42532e5", "source": "security-advisories@github.com"}, {"url": "https://github.com/digitalbazaar/zcap/pull/82", "source": "security-advisories@github.com"}, {"url": "https://github.com/digitalbazaar/zcap/security/advisories/GHSA-hp8h-7x69-4wmv", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "`@digitalbazaar/zcap` provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked against the current date or other `date` param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material. `@digitalbazaar/zcap` v9.0.1 fixes expiration checking. As a workaround, one may revoke a zcap at any time."}, {"lang": "es", "value": "`@digitalbazaar/zcap` proporciona una implementaci\u00f3n de referencia de JavaScript para capacidades de autorizaci\u00f3n. Antes de la versi\u00f3n 9.0.1, al invocar una capacidad con una profundidad de cadena de 2, es decir, se delega directamente desde la capacidad ra\u00edz, la propiedad \"expires\" no se verifica adecuadamente con la fecha actual u otro par\u00e1metro de \"fecha\". Esto puede permitir invocaciones fuera del per\u00edodo de tiempo previsto original. A\u00fan no se puede invocar un zcap sin poder utilizar el material de clave privada asociado. `@digitalbazaar/zcap` v9.0.1 corrige la verificaci\u00f3n de vencimiento. Como workaround, se puede revocar un zcap en cualquier momento."}], "lastModified": "2024-04-11T12:47:44.137", "sourceIdentifier": "security-advisories@github.com"}