Race Condition During Access to Alternate Channel
CVE-2019-19723
Summary
All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-421 - Race Condition During Access to Alternate Channel
The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.
References
Advisory Timeline
- Published