Lucene search

GitHub_MCVELIST:CVE-2020-15222

HistorySep 24, 2020 - 4:15 p.m.

CVE-2020-15222 Replay of private_key_jwt possible in ORY Fosite

2020-09-2416:15:52

CWE-287

GitHub_M

www.cve.org

ory fosite

oauth2

openid connect

private_key_jwt

jti

uniqueness

vulnerability

fix

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

8.2

Confidence

High

EPSS

0.002

Percentile

61.6%

JSON

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using “private_key_jwt” authentication the uniqueness of the jti value is not checked. When using client authentication method “private_key_jwt”, OpenId specification says the following about assertion jti: “A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties”. Hydra does not seem to check the uniqueness of this jti value. This problem is fixed in version 0.31.0.

CNA Affected

[
  {
    "product": "fosite",
    "vendor": "ory",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.31.0"
      }
    ]
  }
]

References

github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9

github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43

openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

8.2

Confidence

High

EPSS

0.002

Percentile

61.6%

JSON

Related for CVELIST:CVE-2020-15222