CVE-2020-77787

CVE 2020-7787

Detail

Current Description

It affects all version of package reactadal. An attacker-generated JWT token and URL may cause the session, nonce and refresh value validations to not work correctly. How the browser stores the nonce, session, and refresh values in their session or local storage is what causes the logical defect. Every key is added automatically by always appended to the end of the list. An empty string (“”) is always included in the valid values list since Adal.js will recognize a JWT token as authentic if it contains an empty session parameter in its callback URL.

View Analysis Description

Analyse
Description

It affects all version of package reactadal. An attacker-generated JWT token and URL may cause the session, nonce and refresh value validations to be invalidated. How the browser stores the nonce, session, and refresh values in their session or local storage is what causes the logical defect. Every key is added automatically by always appended to the end of the list. An empty string (“”) is always included in the list. This is because Adal.js will recognize a JWT token as authentic if it contains an empty session parameter in its callback URL.

Gravity

CVSS 3.x Severity & Metrics

CNA 

Snyk

Base
Score:
 8.2 HIGH

Vector 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS 2.0 Severity, Metrics and Measures

NIST 

NVD

Base
Score:
 5.0 MEDIUM

Vector 

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Numbering of weakness

CWE-ID
Name CWE
SourceCWE-287Improper authentication

NIST

Software Configurations That Are Known to Be Affected by This Switch
CPE 2.2

You must wait for CPEs to load.

Denotes Vulnerable Software
Do we have a CPE that is missing here? Let us know.

Make History Change

There were 1 records for changesMake changes

Initial Analysis

12:12:30 PM, 12/11/202020


Act Now
Type
Alte Value
Neue Value

Addition
Configuration CPE

OR
     *cpe:2.3:a:react-adal_project:react-adal:*:*:*:*:*:node.js:*:*

Addition
CVSS V2

NIST (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Addition
CWE

NIST CWE-287

Changed
Reference Type

https://github.com/salvoravida/react-adal/pull/115 No Types Assigned
https://github.com/salvoravida/react-adal/pull/115 Exploit, Third Party Advisory

Changed
Referenz Type

https://snyk.io/vuln/SNYK-JS-REACTADAL-1018907 No Types Assigned
https://snyk.io/vuln/SNYK-JS-REACTADAL-1018907 Exploit, Third Party Advisory

Quick Info

Dictionary entry for CVE
CVE 2020-7787
NVD
Publited Date:

12/09/2020

NVD
Last modified:

11/11/2020

Source:

Snyk