CVE-2021-41246
4.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including 2.5.1 do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions 2.5.2 contains a patch for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| auth0 | express-openid-connect | >= 2.3.0, < 2.5.2 | affected |
Weaknesses
- CWE-384: CWE-384: Session Fixation
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/auth0/express-openid-connect/security/advisories/GHSA-7rg2-qxmf-hhx9
- https://github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430f
- https://github.com/auth0/express-openid-connect/releases/tag/v2.5.2
References
- https://github.com/auth0/express-openid-connect/security/advisories/GHSA-7rg2-qxmf-hhx9
- https://github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430f
- https://github.com/auth0/express-openid-connect/releases/tag/v2.5.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.