Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3Z2Mtamp2di1jdjZ2
Improper Authorization in loopback
Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges.
Recommendation
For loopback 2.x, upgrade to version 2.40.0 or later
For loopback 3.x, upgrade to version 3.22.0 or later
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3Z2Mtamp2di1jdjZ2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-8wgc-jjvv-cv6v
References:
- https://loopback.io/doc/en/lb2/Security-advisory-08-08-2018.html]
- https://loopback.io/doc/en/lb3/Security-advisory-08-08-2018.html]
- https://www.npmjs.com/advisories/771
- https://github.com/strongloop/loopback
- https://github.com/advisories/GHSA-8wgc-jjvv-cv6v
Blast Radius: 0.0
Affected Packages
npm:loopback
Dependent packages: 505Dependent repositories: 7,782
Downloads: 74,053 last month
Affected Version Ranges: >= 3.0.0, <= 3.21.0, <= 2.39.2
Fixed in: 3.22.0, 2.40.0
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.8, 1.9.0, 1.9.1, 1.10.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.12.0, 2.12.1, 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.16.1, 2.16.3, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.18.0, 2.19.0, 2.19.1, 2.20.0, 2.21.0, 2.22.0, 2.22.1, 2.22.2, 2.23.0, 2.25.0, 2.26.0, 2.26.1, 2.26.2, 2.27.0, 2.28.0, 2.29.0, 2.29.1, 2.30.0, 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.34.1, 2.35.0, 2.36.0, 2.36.2, 2.37.0, 2.37.1, 2.38.0, 2.38.1, 2.38.2, 2.38.3, 2.39.0, 2.39.1, 2.39.2, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.12.0, 3.13.0, 3.14.0, 3.15.0, 3.16.0, 3.16.1, 3.16.2, 3.17.0, 3.17.1, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.20.0, 3.21.0
All unaffected versions: 2.40.0, 2.41.0, 2.41.1, 2.41.2, 2.42.0, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.23.0, 3.23.1, 3.23.2, 3.24.0, 3.24.1, 3.24.2, 3.25.0, 3.25.1, 3.26.0, 3.27.0, 3.28.0