Session fixation in express-openid-connect
CVE-2021-41246

4.6MEDIUM

Key Information:

Vendor

Auth0

Status
Express-openid-connect
Vendor
CVE Published:
9 December 2021

What is CVE-2021-41246?

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including 2.5.1 do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions 2.5.2 contains a patch for this issue.

Affected Version(s)

express-openid-connect >= 2.3.0, < 2.5.2

References

https://github.com/auth0/express-openid-connect/security/...
x_refsource_CONFIRM
https://github.com/auth0/express-openid-connect/commit/5a...
x_refsource_MISC
https://github.com/auth0/express-openid-connect/releases/...
x_refsource_MISC

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.