@sap-cloud-sdk/core (>=1.48.2-20210910061518.0 <=1.49.1-20210922143656.0), @sap/approuter (>=5.1.0 <=14.4.1) +12 more potentially affected by CVE-2023-49583 via @sap/xssec (>=1.3.0 <=3.5.0)

@sap/xssec NPM version =1.3.0, =1.48.2-20210910061518.0, =5.1.0, =2.2.3, =3.2.0, =0.0.2, =1.9.14, =1.14.1, =2.0.5, =1.0.0, =1.202002.1, =1.1.0, =0.1.92, =0.1.0, =0.4.1 Source cves: CVE-2023-49583 Source advisory: OSV:GHSA-P2VX-QJ66-88Q3...

Improper Authorization in @sap-cloud-sdk/core

Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT...