CVE-2021-41246

Опубликовано: 09 дек. 2021

Источник: nvd

CVSS3: 4.6

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including 2.5.1 do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions 2.5.2 contains a patch for this issue.

Ссылки

https://github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430f
Patch
Third Party Advisory
https://github.com/auth0/express-openid-connect/releases/tag/v2.5.2
Release Notes
Third Party Advisory
https://github.com/auth0/express-openid-connect/security/advisories/GHSA-7rg2-qxmf-hhx9
Third Party Advisory
https://github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430f
Patch
Third Party Advisory
https://github.com/auth0/express-openid-connect/releases/tag/v2.5.2
Release Notes
Third Party Advisory
https://github.com/auth0/express-openid-connect/security/advisories/GHSA-7rg2-qxmf-hhx9
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:auth0:express_openid_connect:*:*:*:*:*:node.js:*:*

Версия от 2.3.0 (включая) до 2.5.2 (исключая)

EPSS

Процентиль: 59%

0.00381

Низкий

4.6 Medium

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-384

Связанные уязвимости

GHSA-7rg2-qxmf-hhx9

CVSS3: 4.6

github

около 4 лет назад

Session fixation in express-openid-connect

EPSS

Процентиль: 59%

0.00381

Низкий

4.6 Medium

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-384