CVE-2022-25896 (Medium) detected in passport-0.1.18.tgz, passport-0.4.1.tgz

[mend-for-github-com]

CVE-2022-25896 - Medium Severity Vulnerability

Vulnerable Libraries - passport-0.1.18.tgz, passport-0.4.1.tgz

passport-0.1.18.tgz

Simple, unobtrusive authentication for Node.js.

Library home page: https://registry.npmjs.org/passport/-/passport-0.1.18.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/passport-accesstoken/node_modules/passport/package.json

Dependency Hierarchy:

• passport-accesstoken-0.1.0.tgz (Root Library)
  • ❌ passport-0.1.18.tgz (Vulnerable Library)

passport-0.4.1.tgz

Simple, unobtrusive authentication for Node.js.

Library home page: https://registry.npmjs.org/passport/-/passport-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/passport/package.json

Dependency Hierarchy:

• ❌ passport-0.4.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Publish Date: 2022-07-01

URL: CVE-2022-25896

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25896

Release Date: 2022-07-01

Fix Resolution: 0.6.0

---

⛑️ Automatic Remediation will be attempted for this issue.