📂 Vulnerable Library - passport-facebook-2.1.1.tgz
Facebook authentication strategy for Passport.
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2021-41580 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
passport-oauth2-1.5.0.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
Details
🟠CVE-2021-41580
Vulnerable Library - passport-oauth2-1.5.0.tgz
OAuth 2.0 authentication strategy for Passport.
Library home page: https://registry.npmjs.org/passport-oauth2/-/passport-oauth2-1.5.0.tgz
Path to dependency file: /api/package.json
Dependency Hierarchy:
-
passport-facebook-2.1.1.tgz (Root Library)
- ❌ passport-oauth2-1.5.0.tgz (Vulnerable Library)
-
passport-github2-0.1.11.tgz (Root Library)
- ❌ passport-oauth2-1.5.0.tgz (Vulnerable Library)
-
passport-google-oauth2-0.1.6.tgz (Root Library)
- ❌ passport-oauth2-1.5.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability
Publish Date: Sep 27, 2021 06:11 AM
URL: CVE-2021-41580
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
📂 Vulnerable Library - passport-facebook-2.1.1.tgz
Facebook authentication strategy for Passport.
Path to dependency file: /package.json
Findings
Details
🟠CVE-2021-41580
Vulnerable Library - passport-oauth2-1.5.0.tgz
OAuth 2.0 authentication strategy for Passport.
Library home page: https://registry.npmjs.org/passport-oauth2/-/passport-oauth2-1.5.0.tgz
Path to dependency file: /api/package.json
Dependency Hierarchy:
passport-facebook-2.1.1.tgz (Root Library)
passport-github2-0.1.11.tgz (Root Library)
passport-google-oauth2-0.1.6.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability
Publish Date: Sep 27, 2021 06:11 AM
URL: CVE-2021-41580
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :