Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code Injection found by npm audit #688

Open
lior1503 opened this issue May 5, 2021 · 2 comments
Open

Code Injection found by npm audit #688

lior1503 opened this issue May 5, 2021 · 2 comments

Comments

@lior1503
Copy link

lior1503 commented May 5, 2021

From npm audit output:
oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se.'"
Screen Shot 2021-05-05 at 11 27 19
@OdedBaruch
Copy link

Indeed Urgent

@HappyZombies
Copy link

HappyZombies commented May 11, 2021
edited
Loading

The project appears to have been abandoned for over a year or so, but there are MRs and issues made to address these.

#452

#637

Hopefully if someone of us can get this under new management (or if they come back) these issues can addressed.

@HappyZombies HappyZombies mentioned this issue May 13, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HappyZombies @lior1503 @OdedBaruch