Описание
Authentication Weakness in keystone
Versions of keystone prior to 0.3.16 are affected by a partial authentication bypass vulnerability. In the default sign in functionality, if an attacker provides a full and correct password, yet only provides part of the associated email address, authentication will be granted.
Recommendation
Update to version 0.3.16 or later.
Пакеты
Наименование
keystone
npm
Затронутые версииВерсия исправления
< 0.3.16
0.3.16
Связанные уязвимости
CVSS3: 7.5
nvd
больше 7 лет назад
Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. A correct password is still required to complete sign in.