npm

Severity: critical

Authentication Bypass

passport-azure-ad

Overview

Affected versions of passport-azure-ad do not recognize the validateIssuer setting, which allows remote attackers to bypass authentication via a crafted token.

Remediation

Version 1.x: Update to version 1.4.6 or later. Version 2.x: Update to version 2.0.1 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Dec 6th, 2016
  2. reported

    Initial report by Unknown
    Oct 27th, 2016