PT-2021-23210 · Unknown · Express Openid Connect

Audrey Budryte

Published

2021-12-09

Updated

2021-12-14

CVE-2021-41246

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Express OpenID Connect versions 2.3.0 through 2.5.1

Description The issue arises from the failure to regenerate the session id and session cookie when a user logs in, making the application susceptible to session fixation vulnerabilities. This behavior affects versions prior to the patch release.

Recommendations For versions 2.3.0 through 2.5.1, upgrade to version 2.5.2 or later to resolve the issue.

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

CVE-2021-41246

GHSA-7RG2-QXMF-HHX9

Affected Products

Express Openid Connect

PT-2021-23210 · Unknown · Express Openid Connect

CVE-2021-41246

Weakness Enumeration

Related Identifiers

Affected Products

References · 8