Improper Authorization in @sap-cloud-sdk/core

Published: Sep 3, 2020
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-r2vw-jgq9-jqx2" target="_blank" rel="noopener"> GHSA-r2vw-jgq9-jqx2
Severity: High
Exploit:

Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt() function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT.