Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-wpep-ax9c-jyb6 |
|---|
| Summary | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue. |
|---|
| Aliases |
| 0 |
|
| 1 |
| alias |
GHSA-9rfg-v8g9-9367 |
|
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
| 0 |
| cwe_id |
180 |
| name |
Incorrect Behavior Order: Validate Before Canonicalize |
| description |
The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
|
| 1 |
| cwe_id |
347 |
| name |
Improper Verification of Cryptographic Signature |
| description |
The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
|
| 2 |
| cwe_id |
436 |
| name |
Interpretation Conflict |
| description |
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
|
| 3 |
| cwe_id |
1289 |
| name |
Improper Validation of Unsafe Equivalence in Input |
| description |
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. |
|
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 7.0 - 8.9 |
|---|
| Exploitability | 0.5 |
|---|
| Weighted_severity | 8.0 |
|---|
| Risk_score | 4.0 |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-wpep-ax9c-jyb6 |
|---|