Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerability in passport-azure-ad > async AND passport-azure-ad > cache-manager > async

See original GitHub issue

Core Library

Passport Azure AD (passport-azure-ad)

Core Library Version

4.3.1

Wrapper Library

Not Applicable

Wrapper Library Version

none

Description

The following dependency chaining originating in passport-azure-ad introduces a security vulnerability which is getting flagged by Whitesource: CVE-2021-43138 https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Upgrade to version async - v3.2.2

passport-azure-ad > async passport-azure-ad > cache-manager > async

Error Message

No response

Msal Logs

No response

MSAL Configuration

N/A

Relevant Code Snippets

N/A

Reproduction Steps

N/A

Expected Behavior

N/A

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Source

Internal (Microsoft)

Issue Analytics

State:
Created a year ago
Reactions:2
Comments:7 (5 by maintainers)

Top GitHub Comments

3reactions

jasonnuttercommented, Apr 27, 2022

Thanks for the fix. Can we expect an updated package to be published on npmjs.com? Our enterprise has strict requirements on addressing Dependabot alerts.

Yes, planning to include this in our releases next week.

1reaction

jasonnuttercommented, Apr 19, 2022

@AndrewHarrison92 You are correct, my mistake. #4724 will resolve that.

Top Results From Across the Web

getting error after successful authentication · Issue #471 - GitHub

I am checking the version of cache-manager, comparing it with v1.0 flow both are ... Security vulnerability in passport-azure-ad > async AND ......

passport-azure-ad-fixed - npm package - Snyk

All security vulnerabilities belong to production dependencies of direct and indirect packages. License: ISC. Security Policy: No.

Security update for the Passport-Azure-AD for Node.js library

This update addresses the vulnerability by correcting how ID tokens are validated when Passport strategies take advantage of Azure Active Directory. Frequently ...

deloittesolutions/passport-azure-ad NPM

passport-azure-ad has a known security vulnerability affecting versions <1.4.6 and 2.0.0. ... null); } // asynchronous verification, for effect... process.

About the Azure Active Directory Passport Library for Node.js

The vulnerability exists in web applications that use outdated versions of the Passport-Azure-AD for Node.js library.