Skip to content

Improper Authorization in passport-cognito

Critical severity GitHub Reviewed Published Sep 4, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm passport-cognito (npm)

Affected versions

>= 0.0.0

Patched versions

None

Description

All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 4, 2020
Last updated Jan 9, 2023

Severity

Critical

Weaknesses

CVE ID

CVE-2019-19723

GHSA ID

GHSA-v6c5-hwqg-3x5q

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.