CVE-2022-3145 – @okta/oidc-middleware

Package

Manager: npm
Name: @okta/oidc-middleware
Vulnerable Version: >=0 <5.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00061 pctl0.1913

Details

@okta/oidc-middlewareOpen Redirect vulnerability An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL. **Affected products and versions** Okta OIDC Middleware prior to version 5.0.0. **Resolution** The vulnerability is fixed in OIDC Middleware 5.0.0. To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later. **CVE details** **CVE ID:** [CVE-2022-3145](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3145) **Published Date:** 01/05/2023 **Vulnerability Type:** Open Redirect **CWE:** CWE-601 **CVSS v3.1 Score:** 4.3 **Severity:** Medium **Vector string:** AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N **Severity Details** To exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site. **References** https://github.com/okta/okta-oidc-middleware

Metadata

Created: 2023-01-09T20:06:02Z
Modified: 2023-01-31T01:47:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-58h4-9m7m-j9m4/GHSA-58h4-9m7m-j9m4.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-58h4-9m7m-j9m4
Finding: F156
Auto approve: 1