CVE-2021-41580
First published: Mon Sep 27 2021(Updated: )
** DISPUTED ** The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Passportjs Passport-oauth2 | <1.6.1 | |
| IBM Cloud Pak for Business Automation | <=V23.0.1 - V23.0.1-IF002 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF024 | |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF006 and later fixesV22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes | |
| <1.6.1 |
Remedy
https://github.com/jaredhanson/passport-oauth2/commit/8e3bcdff145a2219033bd782fc517229fe3e05ea
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jaredhanson/passport-oauth2/commit/8e3bcdff145a2219033bd782fc517229fe3e05ea
- https://github.com/jaredhanson/passport-oauth2/compare/v1.6.0...v1.6.1
- https://github.com/jaredhanson/passport-oauth2/pull/144
- https://exchange.xforce.ibmcloud.com/vulnerabilities/238760
- https://www.ibm.com/support/pages/node/7047198 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-41580.
What is the severity of CVE-2021-41580?
The severity of CVE-2021-41580 is medium with a CVSS score of 5.3.
How does CVE-2021-41580 impact Node.js passport-oauth2 module?
CVE-2021-41580 can allow a remote attacker to obtain sensitive information by exploiting a mishandling of error condition in the Node.js passport-oauth2 module.
What is the affected software for CVE-2021-41580?
The affected software is IBM Cloud Pak for Business Automation, versions V23.0.1-IF002, V21.0.3-IF024, V22.0.2-IF006 and later fixes, V21.0.1-IF007 and later fixes, V20.0.1-V20.0.3 and later fixes, V19.0.1-V19.0.3 and later fixes, V18.0.0-V18.0.2 and later fixes.
How can an attacker exploit CVE-2021-41580?
An attacker can exploit CVE-2021-41580 by sending a specially-crafted request to obtain access token information and potentially launch further attacks.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/references
- agent/status
- agent/author
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- agent/tags
- collector/mitre-cve
- source/MITRE
- status/disputed
- vendor/passportjs
- canonical/passportjs passport-oauth2
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v23.0.1 - v23.0.1-if002
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if024
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if006 and later fixesv22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes