Home > Vulnerability Database > CVE-2021-41246

Mend.io Vulnerability Database

CVE-2021-41246

Good to know:

Date: December 9, 2021

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including "2.5.1" do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions "2.5.2" contains a patch for this issue.

Language: JS

Severity Score

4.6

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-41246

Url: https://github.com/auth0/express-openid-connect

Url: https://github.com/auth0/express-openid-connect/releases/tag/v2.5.2

Url: https://github.com/auth0/express-openid-connect/commit/5ab67ff2bd84f76674066b5e129b43ab5f2f430f

Url: https://github.com/auth0/express-openid-connect/security/advisories/GHSA-7rg2-qxmf-hhx9

Url: https://www.mend.io/vulnerability-database/CVE-2021-41246

Severity Score

4.6

Weakness Type (CWE)

Session Fixation

CWE-384

Top Fix

Upgrade Version

Upgrade to version express-openid-connect - 2.5.2

Learn More

CVSS v3.1

Base Score:	4.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-41246

Good to know:

Date: December 9, 2021

Language: JS

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?