CVE-2021-41246

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41246

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41246.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-41246

Aliases

GHSA-7rg2-qxmf-hhx9

Related

GHSA-7rg2-qxmf-hhx9

Published

2021-12-09T16:15:08Z

Modified

2025-01-08T12:23:19.310365Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including 2.5.1 do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions 2.5.2 contains a patch for this issue.

References

Affected packages

Git / github.com/auth0/express-openid-connect

Affected ranges

Type: GIT
Repo: https://github.com/auth0/express-openid-connect
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5ab67ff2bd84f76674066b5e129b43ab5f2f430f

Fixed

5ab67ff2bd84f76674066b5e129b43ab5f2f430f

Affected versions

v.*

v.0.6.0

v0.*

v0.0.2

v0.0.3

v0.1.0

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.5.0

v0.7.0

v0.8.0

v0.8.1

v1.*

v1.0.0

v1.0.1

v1.0.2

v2.*

v2.0.0

v2.1.0

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.4.0

v2.5.0

v2.5.1