[
https://issues.apache.org/jira/browse/NIFI-15471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18052117#comment-18052117
]
ASF subversion and git services commented on NIFI-15471:
--------------------------------------------------------
Commit 0f53a8482c30dffad62dda11693e3c9867900c4c in nifi's branch
refs/heads/main from Rob Fellows
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=0f53a8482c ]
NIFI-15471 - Address dependabot detected issues in transitive dependency hono
This closes #10774.
Signed-off-by: Pierre Villard <[email protected]>
> UI - Address dependabot detected issues in transitive dependency hono
> ---------------------------------------------------------------------
>
> Key: NIFI-15471
> URL: https://issues.apache.org/jira/browse/NIFI-15471
> Project: Apache NiFi
> Issue Type: Task
> Components: Core UI
> Reporter: Rob Fellows
> Assignee: Rob Fellows
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> [https://github.com/apache/nifi/security/dependabot/525]
> [https://github.com/apache/nifi/security/dependabot/524]
>
> *npm audit:*
> hono <=4.11.3
> Severity: high
> Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg"
> (untrusted header.alg fallback) -
> https://github.com/advisories/GHSA-3vhc-576x-3qv4
> Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256)
> Allows Token Forgery and Auth Bypass -
> https://github.com/advisories/GHSA-f67f-6cw9-8mq4
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
