Lucene search
+L

50 matches found

vulnersOsv
vulnersOsv
added 2021/04/22 3:53 p.m.3 views

@abramltd/jwt-oauth2-middleware (=0.1.0), @aerocorp/cli (=7.0.5) +168 more potentially affected by CVE-2017-18924 via oauth2-server (>=2.2.2 <=3.1.1)

oauth2-server NPM version =2.2.2, =1.0.0, =0.0.1, =2.1.0, =3.0.0, =0.4.1, =0.1.0, =3.0.0, =8.9.7 - @intlayer/chokidar =3.5.8 and more Source cves: CVE-2017-18924 Source advisory: OSV:GHSA-2FW4-MGQ9-39CX...

7.5CVSS7.1AI score0.0219EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2021/04/22 3:53 p.m.71 views

Code Injection in oauth2-server

"oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...

7.5CVSS8.6AI score0.0219EPSS
Exploits1References7Affected Software1
OSV
OSV
added 2021/04/22 3:53 p.m.4 views

GHSA-2FW4-MGQ9-39CX Code Injection in oauth2-server

"oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...

7.5CVSS7.2AI score0.0219EPSS
Exploits1References6
NVD
NVD
added 2020/10/04 5:15 a.m.23 views

CVE-2017-18924

oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...

7.5CVSS0.0219EPSS
Exploits1References5
OSV
OSV
added 2020/10/04 5:15 a.m.7 views

CVE-2017-18924

oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...

7.5CVSS9.6AI score
Exploits0References5
Prion
Prion
added 2020/10/04 5:15 a.m.29 views

Authorization

DISPUTED oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid...

5CVSS8.4AI score0.0219EPSS
Exploits2References5Affected Software1
Cvelist
Cvelist
added 2020/10/04 4:38 a.m.24 views

CVE-2017-18924

oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...

8.4AI score0.0219EPSS
Exploits1References5
CVE
CVE
added 2020/10/04 4:38 a.m.99 views

CVE-2017-18924

CVE-2017-18924 concerns oauth2-server (node-oauth2-server) up to version 3.1.1, which implements OAuth 2.0 without PKCE. The description states it does not prevent authorization code injection, similar to CVE-2020-7692, and notes the vendor’s stance that RFC7636 is an extension and the RFC 6749 c...

7.5CVSS8.3AI score0.0219EPSS
Exploits1References5Affected Software1
Prion
Prion
added 2020/04/06 5:15 p.m.14 views

Design/Logic Flaw

In Hydra an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go, before version 1.4.0+oryOS.17, when using client authentication method 'privatekeyjwt' 1, OpenId specification says the following about assertion jti: "A unique identifier for the token, which can be used to...

3.5CVSS5.3AI score0.01028EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2020/04/06 4:30 p.m.68 views

CVE-2020-5300

Hydra (Go-based OAuth2/OpenID provider) before version 1.4.0+oryOS.17 is affected when using client authentication with private_key_jwt because it does not enforce uniqueness of the JWT jti value, enabling potential token replay within the token’s expiry window. A patch is published in v1.4.0+ory...

5.8CVSS5.3AI score0.01028EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder