CVE-2017-18924 Information

Description

LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks DISPUTED LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states ‘As RFC7636 is an extension I think the claim in the Readme of \RFC 6749 compliant\ is valid and not misleading and I also therefore wouldn’t describe this as a \vulnerability\ with the library per se.’

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://codeburst.io/missing-the-point-in-securing-oauth-2-0-83968708b467 https://github.com/oauthjs/node-oauth2-server/issues/637 https://github.com/oauthjs/node-oauth2-server/pull/452 https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15 https://tools.ietf.org/html/rfc7636

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5