Critical severityNVD Advisory· Published Sep 4, 2020· Updated Aug 31, 2020
Improper Authorization in passport-cognito
CVE-2019-19723
Description
All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passport-cognitonpm | >= 0.0.0 | — |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-v6c5-hwqg-3x5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19723ghsaADVISORY
- www.npmjs.com/advisories/1443ghsaWEB
News mentions
0No linked articles in our index yet.