cvelistv5 - cve-2022-3145

CVE-2022-3145 (GCVE-0-2022-3145)

Vulnerability from cvelistv5 – Published: 2023-01-12 00:00 – Updated: 2025-04-08 13:37

Summary

An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CWE

Open Redirect

Assigner

Okta

References

URL

Tags

https://github.com/okta/okta-oidc-middleware/secu…

Impacted products

	Vendor	Product	Version
	Okta	Okta OIDC Middleware	Affected: prior to 5.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:00:10.700Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-3145",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-08T13:36:52.687825Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-601",
                "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-08T13:37:49.124Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Okta OIDC Middleware",
          "vendor": "Okta",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 5.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Open Redirect",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-12T00:00:00.000Z",
        "orgId": "59b22baa-87b2-4371-8e4a-e080df12f74a",
        "shortName": "Okta"
      },
      "references": [
        {
          "url": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "59b22baa-87b2-4371-8e4a-e080df12f74a",
    "assignerShortName": "Okta",
    "cveId": "CVE-2022-3145",
    "datePublished": "2023-01-12T00:00:00.000Z",
    "dateReserved": "2022-09-06T00:00:00.000Z",
    "dateUpdated": "2025-04-08T13:37:49.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:okta:oidc_middleware:*:*:*:*:*:node.js:*:*\", \"versionEndExcluding\": \"5.0.0\", \"matchCriteriaId\": \"A718D4D7-985F-466E-B29B-E9315F373B7F\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de redireccionamiento abierto en Okta OIDC Middleware anterior a la versi\\u00f3n 5.0.0 que permite a un atacante redirigir a un usuario a una URL arbitraria.\"}]",
      "id": "CVE-2022-3145",
      "lastModified": "2024-11-21T07:18:55.243",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N\", \"baseScore\": 4.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2023-01-12T19:15:24.007",
      "references": "[{\"url\": \"https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4\", \"source\": \"psirt@okta.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "psirt@okta.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-601\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-3145\",\"sourceIdentifier\":\"psirt@okta.com\",\"published\":\"2023-01-12T19:15:24.007\",\"lastModified\":\"2025-04-08T14:15:28.280\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de redireccionamiento abierto en Okta OIDC Middleware anterior a la versi\u00f3n 5.0.0 que permite a un atacante redirigir a un usuario a una URL arbitraria.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:okta:oidc_middleware:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"5.0.0\",\"matchCriteriaId\":\"A718D4D7-985F-466E-B29B-E9315F373B7F\"}]}]}],\"references\":[{\"url\":\"https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4\",\"source\":\"psirt@okta.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T01:00:10.700Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-3145\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-08T13:36:52.687825Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-08T13:37:34.981Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Okta\", \"product\": \"Okta OIDC Middleware\", \"versions\": [{\"status\": \"affected\", \"version\": \"prior to 5.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Open Redirect\"}]}], \"providerMetadata\": {\"orgId\": \"59b22baa-87b2-4371-8e4a-e080df12f74a\", \"shortName\": \"Okta\", \"dateUpdated\": \"2023-01-12T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-3145\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-08T13:37:49.124Z\", \"dateReserved\": \"2022-09-06T00:00:00.000Z\", \"assignerOrgId\": \"59b22baa-87b2-4371-8e4a-e080df12f74a\", \"datePublished\": \"2023-01-12T00:00:00.000Z\", \"assignerShortName\": \"Okta\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-58H4-9M7M-J9M4

Vulnerability from github – Published: 2023-01-09 20:06 – Updated: 2023-01-31 01:47

Summary

@okta/oidc-middlewareOpen Redirect vulnerability

Details

An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.

Affected products and versions Okta OIDC Middleware prior to version 5.0.0.

Resolution The vulnerability is fixed in OIDC Middleware 5.0.0. To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later.

CVE details CVE ID: CVE-2022-3145 Published Date: 01/05/2023 Vulnerability Type: Open Redirect CWE: CWE-601 CVSS v3.1 Score: 4.3 Severity: Medium Vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Severity Details To exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site.

References https://github.com/okta/okta-oidc-middleware

Severity ?

4.7 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@okta/oidc-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T20:06:02Z",
    "nvd_published_at": "2023-01-12T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.\n\n**Affected products and versions**\nOkta OIDC Middleware prior to version 5.0.0.\n\n**Resolution**\nThe vulnerability is fixed in OIDC Middleware 5.0.0.  To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later.\n\n**CVE details**\n**CVE ID:**\t\t[CVE-2022-3145](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3145)\n**Published Date:**\t01/05/2023\n**Vulnerability Type:**\tOpen Redirect\n**CWE:**\t\t\tCWE-601\n**CVSS v3.1 Score:** 4.3\n**Severity:** Medium\n**Vector string:** AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\n\n**Severity Details**\nTo exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site.\n\n**References**\nhttps://github.com/okta/okta-oidc-middleware",
  "id": "GHSA-58h4-9m7m-j9m4",
  "modified": "2023-01-31T01:47:43Z",
  "published": "2023-01-09T20:06:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/okta/okta-oidc-middleware/commit/5d10b3ccdd5d6893de4d8b58696094267d30c113"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/okta/okta-oidc-middleware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@okta/oidc-middlewareOpen Redirect vulnerability"
}

FKIE_CVE-2022-3145

Vulnerability from fkie_nvd - Published: 2023-01-12 19:15 - Updated: 2025-04-08 14:15

Severity ?

4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Summary

An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.

References

	URL	Tags
	psirt@okta.com	https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4	Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4	Third Party Advisory

Impacted products

	Vendor	Product	Version
	okta	oidc_middleware	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:okta:oidc_middleware:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "A718D4D7-985F-466E-B29B-E9315F373B7F",
              "versionEndExcluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de redireccionamiento abierto en Okta OIDC Middleware anterior a la versi\u00f3n 5.0.0 que permite a un atacante redirigir a un usuario a una URL arbitraria."
    }
  ],
  "id": "CVE-2022-3145",
  "lastModified": "2025-04-08T14:15:28.280",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-01-12T19:15:24.007",
  "references": [
    {
      "source": "psirt@okta.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4"
    }
  ],
  "sourceIdentifier": "psirt@okta.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GSD-2022-3145

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.

Aliases

CVE-2022-3145

Aliases

CVE-2022-3145

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-3145",
    "id": "GSD-2022-3145"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-3145"
      ],
      "details": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.",
      "id": "GSD-2022-3145",
      "modified": "2023-12-13T01:19:40.575897Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@okta.com",
        "ID": "CVE-2022-3145",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Okta OIDC Middleware",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "prior to 5.0.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Okta"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Open Redirect"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4",
            "refsource": "MISC",
            "url": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c5.0.0",
          "affected_versions": "All versions before 5.0.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-601",
            "CWE-937"
          ],
          "date": "2023-01-30",
          "description": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.",
          "fixed_versions": [
            "5.0.0"
          ],
          "identifier": "CVE-2022-3145",
          "identifiers": [
            "CVE-2022-3145",
            "GHSA-58h4-9m7m-j9m4",
            "GMS-2023-8"
          ],
          "not_impacted": "All versions starting from 5.0.0",
          "package_slug": "npm/@okta/oidc-middleware",
          "pubdate": "2023-01-12",
          "solution": "Upgrade to version 5.0.0 or above.",
          "title": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-3145",
            "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4",
            "https://github.com/okta/okta-oidc-middleware/commit/5d10b3ccdd5d6893de4d8b58696094267d30c113",
            "https://github.com/advisories/GHSA-58h4-9m7m-j9m4"
          ],
          "uuid": "60ec9238-e99e-4a01-ac44-9677df0bef91"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 5.0.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-01-09",
          "description": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.\n\n**Affected products and versions**\nOkta OIDC Middleware prior to version 5.0.0.\n\n**Resolution**\nThe vulnerability is fixed in OIDC Middleware 5.0.0. To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later.\n\n**CVE details**\n**CVE ID:**\t\t[CVE-2022-3145](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3145)\n**Published Date:**\t01/05/2023\n**Vulnerability Type:**\tOpen Redirect\n**CWE:**\t\t\tCWE-601\n**CVSS v3.1 Score:** 4.3\n**Severity:** Medium\n**Vector string:** AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\n\n**Severity Details**\nTo exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site.\n\n**References**\nhttps://github.com/okta/okta-oidc-middleware",
          "fixed_versions": [
            "5.0.0"
          ],
          "identifier": "GMS-2023-8",
          "identifiers": [
            "GHSA-58h4-9m7m-j9m4",
            "GMS-2023-8",
            "CVE-2022-3145"
          ],
          "not_impacted": "All versions starting from 5.0.0",
          "package_slug": "npm/@okta/oidc-middleware",
          "pubdate": "2023-01-09",
          "solution": "Upgrade to version 5.0.0 or above.",
          "title": "Duplicate of ./npm/@okta/oidc-middleware/CVE-2022-3145.yml",
          "urls": [
            "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4",
            "https://github.com/okta/okta-oidc-middleware/commit/5d10b3ccdd5d6893de4d8b58696094267d30c113",
            "https://github.com/advisories/GHSA-58h4-9m7m-j9m4"
          ],
          "uuid": "a0772029-4a71-48c6-8e49-013f140e83e3"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:okta:oidc_middleware:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@okta.com",
          "ID": "CVE-2022-3145"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-601"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-01-30T16:30Z",
      "publishedDate": "2023-01-12T19:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-3145 (GCVE-0-2022-3145)

GHSA-58H4-9M7M-J9M4

FKIE_CVE-2022-3145

GSD-2022-3145

Tags

Sightings

Nomenclature