Description
Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue.
Published: 2021-12-09
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2021-2474 Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue.
Github GHSA Github GHSA GHSA-7rg2-qxmf-hhx9 Session fixation in express-openid-connect
History

No history.

Subscriptions

Auth0 Express Openid Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-04T03:08:31.551Z

Reserved: 2021-09-15T00:00:00.000Z

Link: CVE-2021-41246

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-12-09T16:15:08.383

Modified: 2024-11-21T06:25:52.357

Link: CVE-2021-41246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses