GMS-2020-426: Improper Authorization in passport-cognito

September 4, 2020 (updated October 4, 2021)

All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user’s behalf. ## Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References

github.com/advisories/GHSA-v6c5-hwqg-3x5q
nvd.nist.gov/vuln/detail/CVE-2019-19723
www.npmjs.com/advisories/1443

Code Behaviors & Features

Detect and mitigate GMS-2020-426 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →