@okta/oidc-middlewareOpen Redirect vulnerability
Moderate severity
GitHub Reviewed
Published
Jan 5, 2023
in
okta/okta-oidc-middleware
•
Updated Feb 7, 2023
Description
Published to the GitHub Advisory Database
Jan 9, 2023
Reviewed
Jan 9, 2023
Published by the National Vulnerability Database
Jan 12, 2023
Last updated
Feb 7, 2023
An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.
Affected products and versions
Okta OIDC Middleware prior to version 5.0.0.
Resolution
The vulnerability is fixed in OIDC Middleware 5.0.0. To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later.
CVE details
CVE ID: CVE-2022-3145
Published Date: 01/05/2023
Vulnerability Type: Open Redirect
CWE: CWE-601
CVSS v3.1 Score: 4.3
Severity: Medium
Vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity Details
To exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site.
References
https://github.com/okta/okta-oidc-middleware
References