{"id":"CVE-2016-7191","details":"The Microsoft Azure Active Directory Passport (aka Passport-Azure-AD) library 1.x before 1.4.6 and 2.x before 2.0.1 for Node.js does not recognize the validateIssuer setting, which allows remote attackers to bypass authentication via a crafted token.","aliases":["GHSA-73jp-3c67-hjfv"],"modified":"2026-04-01T23:54:22.636893Z","published":"2016-09-28T20:59:00.240Z","references":[{"type":"WEB","url":"http://www.securitytracker.com/id/1036996"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93213"},{"type":"FIX","url":"https://support.microsoft.com/kb/3187742"},{"type":"FIX","url":"https://github.com/AzureAD/passport-azure-ad/blob/master/SECURITY-NOTICE.MD"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/azuread/passport-azure-ad","events":[{"introduced":"0"},{"last_affected":"6deb0df82bfe93ba2e628ece351c0db94aaddfce"},{"introduced":"0"},{"last_affected":"d39d6e1dce5d5173aca6cdda0556fd133a96f622"},{"introduced":"0"},{"last_affected":"abb47d35b874b3eaa55176679605f51e36c59ea6"},{"introduced":"0"},{"last_affected":"3f37f54488c8a46e33b99792ccb4afd3b6d9e5da"},{"introduced":"0"},{"last_affected":"34260bfe966c563c71de2d3fd5bc98e5b4320968"},{"introduced":"0"},{"last_affected":"e50c27e0f91a2a32bf7037226332ef9a0667f2fc"},{"introduced":"0"},{"last_affected":"a018e925e377de007eff4dbf77e64971b7d1d446"},{"introduced":"0"},{"last_affected":"3eef184da057a18d9011ab08f035edd9d0a9334f"},{"introduced":"0"},{"last_affected":"34f84d1cab1f978ea2a0d4ba68ccd0f74e786bb9"},{"introduced":"0"},{"last_affected":"8aa513f2430413e2e453c89a76e87e6a7280e4ea"},{"introduced":"0"},{"last_affected":"b93fcf9024862922f08d8f7e465776a144952986"},{"introduced":"0"},{"last_affected":"2002107c5053e37e3fdf535c59b850d598f95f14"},{"introduced":"0"},{"last_affected":"000a21240da490d27d4032e26c5f6c42a8353fbc"},{"introduced":"0"},{"last_affected":"5ed761d1af71f1ec0b255e6ee6fe9781b522c3da"},{"introduced":"0"},{"last_affected":"a47c56e3aad5ca3ce38c8a912813a2785e0b7cad"},{"introduced":"0"},{"last_affected":"f69defb2bb967dd65349fa952f192bf5eff57e6a"},{"introduced":"0"},{"last_affected":"fc554162c717d1aede5fefaf8d4d905be49c9a14"},{"introduced":"0"},{"last_affected":"f4afd5b006752d989bd421ce47512cd720b43728"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.0"},{"introduced":"0"},{"last_affected":"1.1.0"},{"introduced":"0"},{"last_affected":"1.1.1"},{"introduced":"0"},{"last_affected":"1.2.0"},{"introduced":"0"},{"last_affected":"1.3.0"},{"introduced":"0"},{"last_affected":"1.3.1"},{"introduced":"0"},{"last_affected":"1.3.2"},{"introduced":"0"},{"last_affected":"1.3.3"},{"introduced":"0"},{"last_affected":"1.3.4"},{"introduced":"0"},{"last_affected":"1.3.5"},{"introduced":"0"},{"last_affected":"1.3.6"},{"introduced":"0"},{"last_affected":"1.4.0"},{"introduced":"0"},{"last_affected":"1.4.1"},{"introduced":"0"},{"last_affected":"1.4.2"},{"introduced":"0"},{"last_affected":"1.4.3"},{"introduced":"0"},{"last_affected":"1.4.4"},{"introduced":"0"},{"last_affected":"1.4.5"},{"introduced":"0"},{"last_affected":"2.0.0"}]}}],"versions":["v0.0.4","v0.0.5","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7191.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}