Description
All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 0.0.0
References
Related Issues
- Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation (GHSA-rg3q-jxmp-pvjj) - CVE-2019-11004
- bson-objectid contains Improper input validation - CVE-2019-19729
- Improper Key Verification in openpgp - CVE-2019-9154
- LobeHub Vulnerable to Improper Authorization in Presigned Upload - CVE-2026-23835
- Tags:
- npm
- passport-cognito
Anything's wrong? Let us know Last updated on January 09, 2023