Lucene search

GitHub_MCVELIST:CVE-2021-41246

HistoryDec 09, 2021 - 3:55 p.m.

CVE-2021-41246 Session fixation in express-openid-connect

2021-12-0915:55:10

CWE-384

GitHub_M

www.cve.org

4.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.2%

JSON

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including 2.5.1 do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions 2.5.2 contains a patch for this issue.

CNA Affected

[
  {
    "product": "express-openid-connect",
    "vendor": "auth0",
    "versions": [
      {
        "status": "affected",
        "version": ">= 2.3.0, < 2.5.2"
      }
    ]
  }
]

References

github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430f

github.com/auth0/express-openid-connect/releases/tag/v2.5.2

github.com/auth0/express-openid-connect/security/advisories/GHSA-7rg2-qxmf-hhx9