CVE-2021-41246 : Express OpenID Connect is express JS middleware implementing sign on for Express

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue.

Published 2021-12-09 16:15:08

Updated 2021-12-14 00:40:07

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-41246

Auth0 » Express Openid Connect » For Node.js
Versions from including (>=) 2.3.0 and before (<) 2.5.2
cpe:2.3:a:auth0:express_openid_connect:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-41246

EPSS FAQ

0.36%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 55 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-41246

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
4.6	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N	2.1	2.5	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2021-41246

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-41246

https://github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430f

Merge pull request from GHSA-7rg2-qxmf-hhx9 · auth0/express-openid-connect@5ab67ff · GitHub
Patch;Third Party Advisory
https://github.com/auth0/express-openid-connect/releases/tag/v2.5.2

Release v2.5.2 · auth0/express-openid-connect · GitHub
Release Notes;Third Party Advisory
https://github.com/auth0/express-openid-connect/security/advisories/GHSA-7rg2-qxmf-hhx9

Session fixation in express-openid-connect · Advisory · auth0/express-openid-connect · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-41246

Products affected by CVE-2021-41246

Exploit prediction scoring system (EPSS) score for CVE-2021-41246

CVSS scores for CVE-2021-41246

CWE ids for CVE-2021-41246

References for CVE-2021-41246