{
  "schema_version": "1.4.0",
  "id": "GHSA-58h4-9m7m-j9m4",
  "modified": "2023-01-31T01:47:43Z",
  "published": "2023-01-09T20:06:02Z",
  "aliases": [
    "CVE-2022-3145"
  ],
  "summary": "@okta/oidc-middlewareOpen Redirect vulnerability",
  "details": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.\n\n**Affected products and versions**\nOkta OIDC Middleware prior to version 5.0.0.\n\n**Resolution**\nThe vulnerability is fixed in OIDC Middleware 5.0.0.  To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later.\n\n**CVE details**\n**CVE ID:**\t\t[CVE-2022-3145](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3145)\n**Published Date:**\t01/05/2023\n**Vulnerability Type:**\tOpen Redirect\n**CWE:**\t\t\tCWE-601\n**CVSS v3.1 Score:** 4.3\n**Severity:** Medium\n**Vector string:** AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\n\n**Severity Details**\nTo exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site.\n\n**References**\nhttps://github.com/okta/okta-oidc-middleware",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@okta/oidc-middleware"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/okta/okta-oidc-middleware/commit/5d10b3ccdd5d6893de4d8b58696094267d30c113"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/okta/okta-oidc-middleware"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T20:06:02Z",
    "nvd_published_at": "2023-01-12T19:15:00Z"
  }
}