GitHub Advisory DatabaseGHSA-58H4-9M7M-J9M4@okta/oidc-middlewareOpen Redirect vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
EPSS
Percentile
31.2%
An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.
Affected products and versions
Okta OIDC Middleware prior to version 5.0.0.
Resolution
The vulnerability is fixed in OIDC Middleware 5.0.0. To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later.
CVE details****CVE ID: CVE-2022-3145Published Date:01/05/2023Vulnerability Type:Open RedirectCWE: CWE-601CVSS v3.1 Score:4.3Severity:MediumVector string: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity Details
To exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site.
References
https://github.com/okta/okta-oidc-middleware
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| okta | oidc_middleware | * | cpe:2.3:a:okta:oidc_middleware:*:*:*:*:*:node.js:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
EPSS
Percentile
31.2%