CVE-2021-41246 MEDIUM

CVE-2021-41246: Session fixation in express-openid-connect

Vendor Auth0
Product express-openid-connect
Weakness CWE-384 · Session fixation
Published December 9, 2021
Last update August 4, 2024

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue.

Key dates

02Disclosure timeline

December 9, 2021 CVE published
August 4, 2024 Record updated