passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 6.3) [master] (reachable)

[mend-developer-platform-dev]

📂 Vulnerable Library - passport-0.4.1.tgz

Simple, unobtrusive authentication for Node.js.

Library home page: https://registry.npmjs.org/passport/-/passport-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/passport/package.json

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2022-25896	🟠 Medium	6.3	Not Defined	< 1%	passport-0.4.1.tgz	Direct	https://github.com/jaredhanson/passport.git - no_fix,passport - 0.6.0	✅	Reachable

Details

🟠CVE-2022-25896

Vulnerable Library - passport-0.4.1.tgz

Simple, unobtrusive authentication for Node.js.

Library home page: https://registry.npmjs.org/passport/-/passport-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/passport/package.json

Dependency Hierarchy:

• ❌ passport-0.4.1.tgz (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- dvna-0.0.1/server.js (Application)
    - passport-0.4.1/lib/index.js (Extension)
        - passport-0.4.1/lib/authenticator.js (Extension)
            -> ❌ passport-0.4.1/lib/sessionmanager.js (Vulnerable Component)

---

Vulnerability Details

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Publish Date: Jul 01, 2022 08:06 PM

URL: CVE-2022-25896

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.3

---

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/CVE-2022-25896

Release Date: Jul 01, 2022 08:06 PM

Fix Resolution : https://github.com/jaredhanson/passport.git - no_fix,passport - 0.6.0