GHSA-8wgc-jjvv-cv6v – loopback

Package

Manager: npm
Name: loopback
Vulnerable Version: >=0 <2.40.0 || >=3.0.0 <3.22.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Improper Authorization in loopback Vulnerable versions of `loopback` may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's `userId`. This will allow the attacker to access the user's data and their privileges. ## Recommendation For loopback 2.x, upgrade to version 2.40.0 or later For loopback 3.x, upgrade to version 3.22.0 or later

Metadata

Created: 2020-09-02T15:54:52Z
Modified: 2021-09-27T15:44:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8wgc-jjvv-cv6v/GHSA-8wgc-jjvv-cv6v.json
CWE IDs: ["CWE-285"]
Alternative ID: N/A
Finding: F039
Auto approve: 1