CVE-2020-15222

Sažetak

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.

Reference

https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43
https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

CVSS

Base:	5.8
Impact:	4.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:N

Zadnje važnije ažuriranje

18-11-2021 - 17:51

Objavljeno

24-09-2020 - 17:15