GHSA-2fw4-mgq9-39cx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2fw4-mgq9-39cx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-2fw4-mgq9-39cx/GHSA-2fw4-mgq9-39cx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2fw4-mgq9-39cx
- Aliases
- Published
- 2021-04-22T15:53:45Z
- Modified
- 2023-11-08T03:59:16.711691Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Code Injection in oauth2-server
- Details
-
"oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se.'"
- Database specific
{ "nvd_published_at": "2020-10-04T05:15:00Z", "cwe_ids": [ "CWE-94" ], "github_reviewed_at": "2021-04-21T21:15:38Z", "severity": "HIGH", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-18924
- https://github.com/oauthjs/node-oauth2-server/issues/637
- https://github.com/oauthjs/node-oauth2-server/pull/452
- https://codeburst.io/missing-the-point-in-securing-oauth-2-0-83968708b467
- https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15
- https://tools.ietf.org/html/rfc7636
Affected packages
npm / oauth2-server
Package
- Name
- oauth2-server
- View open source insights on deps.dev
- Purl
- pkg:npm/oauth2-server