Race Condition During Access to Alternate Channel

CVE-2019-19723

High

8.8/10

Summary

All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-421 - Race Condition During Access to Alternate Channel

The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.

References

Advisory

Advisory Timeline

Published Sep 04, 2020

Race Condition During Access to Alternate Channel

CVE-2019-19723

Summary

CWE-421 - Race Condition During Access to Alternate Channel

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS