Improper Authorization Affecting loopback package, versions >=2.0.0 <2.40.0 >=3.0.0 <3.22.0
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-LOOPBACK-73559
- published 20 Jan 2019
- disclosed 15 Aug 2018
- credit zbarbuto
How to fix?
Upgrade loopback to version 2.40.0, 3.22.0 or higher.
Overview
loopback is a highly-extensible, open-source Node.js framework that enables you to create dynamic end-to-end REST APIs, access data from several databases, incorporate model relationships and access controls for complex APIs, and more.
Affected versions of this package are vulnerable to Improper Authorization. An attacker can create Authentication Tokens on behalf of other users. If the AccessToken model is publicly exposed, the attacker can create tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges.