CVE-2019-19723
Improper Authorization in passport-cognito
Description
All versions of `passport-cognito` are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
How to fix CVE-2019-19723
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- npm/passport-cognito—no fix listed
Is CVE-2019-19723 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2019-19723.
Affected packages (1)
- >= 0.0.0