passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) reachable #9

mend-for-github-com · 2023-11-07T02:13:18Z

Vulnerable Library - passport-0.4.1.tgz

Simple, unobtrusive authentication for Node.js.

Library home page: https://registry.npmjs.org/passport/-/passport-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/passport/package.json

Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (passport version)	Remediation Possible**	Reachability
CVE-2022-25896	Medium	4.8	Not Defined	0.1%	passport-0.4.1.tgz	Direct	0.6.0	✅	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-25896

Vulnerable Library - passport-0.4.1.tgz

Simple, unobtrusive authentication for Node.js.

Library home page: https://registry.npmjs.org/passport/-/passport-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/passport/package.json

Dependency Hierarchy:

❌ passport-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: d2708792be12ec4955aee513fffe301dcfefc7d8

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

dvna-0.0.1/server.js (Application)
  -> passport-0.4.1/lib/index.js (Extension)
   -> passport-0.4.1/lib/authenticator.js (Extension)
    -> ❌ passport-0.4.1/lib/sessionmanager.js (Vulnerable Component)

Vulnerability Details

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Publish Date: 2022-07-01

URL: CVE-2022-25896

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (4.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25896

Release Date: 2022-07-01

Fix Resolution: 0.6.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

The text was updated successfully, but these errors were encountered:

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Nov 7, 2023

mend-for-github-com bot mentioned this issue Nov 7, 2023

Update dependency passport to ^0.7.0 #10

Open

1 task

mend-for-github-com bot changed the title ~~passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) non-reachable~~ passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) unreachable Mar 1, 2024

mend-for-github-com bot changed the title ~~passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) unreachable~~ passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) reachable Mar 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) reachable #9

passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) reachable #9

Vulnerable Library - passport-0.4.1.tgz

Reachability Analysis

Vulnerability Details

Threat Assessment

CVSS 3 Score Details (4.8)

Suggested Fix

passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) reachable #9

passport-0.4.1.tgz: 1 vulnerabilities (highest severity is: 4.8) reachable #9

Comments

Uh oh!

Vulnerabilities

Details

Vulnerable Library - passport-0.4.1.tgz

Reachability Analysis

Vulnerability Details

Threat Assessment

CVSS 3 Score Details (4.8)

Suggested Fix