CVE-2019-19723
Improper Authorization in passport-cognito
描述
All versions of `passport-cognito` are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
如何修補 CVE-2019-19723
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- npm/passport-cognito—未列出修補版本
CVE-2019-19723 正在被利用嗎?
目前沒有被利用訊號。CVE-2019-19723 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- >= 0.0.0