CVE-2019-13483: Security Vulnerability in Passport-SharePoint

Published: 7/23/2019

CVE number: CVE-2019-13483

Overview

Versions of Passport-SharePoint prior to 0.4.0 do not validate the JWT signature of an Access Token before processing.

This vulnerability allows attackers to forge tokens and bypass authentication and authorization mechanisms.

Am I affected?

You are affected by this vulnerability if you use a Passport-SharePoint version earlier than 0.4.0.

How do I fix this?

Developers using the Passport-SharePoint library must upgrade to version 0.4.0.

Please note that Auth0 has deprecated and will no longer maintain this library. Developers should plan to discontinue its use.

Will this update impact my users?

No. This fix patches the library that your application runs, but it will not impact your users, their current state, or any existing sessions.