Improper Authorization in passport-cognito

Description

All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user.

Recommendation

No fix is available yet. Followings are affected versions:

• >= 0.0.0

References

• GHSA-v6c5-hwqg-3x5q
• www.npmjs.com
• CVE-2019-19723
• CWE-285
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation - materialize-css - CVE-2019-11004
• bson-objectid contains Improper input validation - CVE-2019-19729
• Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation - CVE-2019-11004
• Improper Key Verification in openpgp - CVE-2019-9154

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

passport-cognito