Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3Z2Mtamp2di1jdjZ2
Improper Authorization in loopback
Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges.
Recommendation
For loopback 2.x, upgrade to version 2.40.0 or later For loopback 3.x, upgrade to version 3.22.0 or later
Permalink: https://github.com/advisories/GHSA-8wgc-jjvv-cv6vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3Z2Mtamp2di1jdjZ2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 9 months ago
Identifiers: GHSA-8wgc-jjvv-cv6v
References:
- https://loopback.io/doc/en/lb2/Security-advisory-08-08-2018.html]
- https://loopback.io/doc/en/lb3/Security-advisory-08-08-2018.html]
- https://www.npmjs.com/advisories/771
- https://github.com/strongloop/loopback
- https://github.com/advisories/GHSA-8wgc-jjvv-cv6v
Affected Packages
npm:loopback
Versions: >= 3.0.0, <= 3.21.0, <= 2.39.2Fixed in: 3.22.0, 2.40.0