Dependency jsrsasign of angular-oauth2-oidc-jwks has a critical vulnerability

[jmac105]

Describe the bug
angular-oauth2-oidc-jwks has a dependency "jsrsasign": "^8.0.12"
CVE-2021-30246 has been published with a CVSS 3.x score of 9.1 and affects all versions of jsrsasign prior to 10.2.0

References
See https://nvd.nist.gov/vuln/detail/CVE-2021-30246 & GHSA-27fj-mc8w-j9wg

I'll try and a raise a PR to update that dependency later today as it would be great to get this resolved ASAP

[Swabo]

Any updates on this? I'd really appreciate this to be fixed. Or even better, are there any chances to get the implicit flow running without jsrsasign? Unfortunately there is currently no chance to use Code Flow in my project...

[jeroenheijmans]

No updates on any fix, but as to your other question:

any chances to get the implicit flow running without jsrsasign

Your only options will be either using the NullValidationhandler (and understand the implications of doing so) instead of JwksValidationHandler and ignore the CVE (since you're then no longer effectively using jsrsasign, or switch to code flow (I think).

[coyoteecd]

I submitted a PR with the version bump; meanwhile, you can use the workaround described here: https://stackoverflow.com/a/62956076/26391

[Swabo]

@jeroenheijmans @coyoteecd thanks for the advice! I think I'll wait a few more days for the PR to be merged as I'm not aware of all the breaking changes between two major versions of jsrsasign and their implications on angular-oauth2-oidc.

[jeroenheijmans]

FWIW I can confirm that my production application has pinned (in package-lock.json) jsrsasign on 10.2.0+ and runs smoothly with it so far.

[bschnabel]

I just updated angular-oauth2-oidc to version 12.0.1 from previously 9.x. When running npm install I get

npm WARN angular-oauth2-oidc@12.0.1 requires a peer of @angular/core@>=12.0.0 but none is installed. You must install peer dependencies yourself.

On the other hand in the readme it states:

Angular 12: Use 12.x versions of this library (should also work with older Angular versions!).
Angular 11: Use 10.x versions of this library (should also work with older Angular versions!).
Angular 10: Use 10.x versions of this library (should also work with older Angular versions!).
Angular 9: Use 9.x versions of this library (should also work with older Angular versions!).

what sounds to me like version 12.x of the library should also work with older Versions of Angular (I'm using 9.x)

So can I just ignore the npm warning? my do you have angular >= 12 as a requirement if you say it should also work with older versions?

[bschnabel]

answered in #1111

[leogouveia]

Is there any news about this issue?
This bug continues in version 17.0.0.
#1111 was closed as it is refers to version 12.