-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/sap/cloud-security-client-go | go | < 0.17.0 | 0.17.0 |
Miggo AIRoot Cause AnalysisThe commit 2e3bd63 shows critical changes to issuer validation:- 1) Replaced URL parsing with direct host validation 2) Added regex pattern ^[a-zA-Z0-9-]{1,63}\.<domain>$ for subdomain checks 3) Added numerous test cases rejecting previously allowed invalid domains. These changes directly address CWE-639 (User-Controlled Key) by preventing attackers from forging issuer domains through special characters, encoded payloads, or invalid subdomains. The vulnerability allowed unauthenticated privilege escalation by accepting crafted tokens with improperly validated issuers.
A Semantic Attack on Google Gemini - Read the Latest Research