GMS-2020-359: Improper Authorization in loopback

September 2, 2020 (updated September 27, 2021)

Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target’s userId. This will allow the attacker to access the user’s data and their privileges. For loopback, upgrade to or later For loopback, upgrade to or later

References

github.com/advisories/GHSA-8wgc-jjvv-cv6v
github.com/strongloop/loopback
loopback.io/doc/en/lb2/Security-advisory-08-08-2018.html]
loopback.io/doc/en/lb3/Security-advisory-08-08-2018.html]
www.npmjs.com/advisories/771

Detect and mitigate GMS-2020-359 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →