GitHub_MCVELIST:CVE-2024-31209CVE-2024-31209 OpenID Connect client Atom Exhaustion in provider configuration worker ets table location
5.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
15.7%
oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling oidcc_provider_configuration_worker:get_provider_configuration/1 or oidcc_provider_configuration_worker:get_jwks/1. This issue has been patched in version(s)3.1.2 & 3.2.0-beta.3.
CNA Affected
[
{
"vendor": "erlef",
"product": "oidcc",
"versions": [
{
"version": ">= 3.0.0, < 3.0.2",
"status": "affected"
},
{
"version": ">= 3.1.0, < 3.1.2",
"status": "affected"
},
{
"version": ">= 3.2.0-beta.1, < 3.2.0-beta.3",
"status": "affected"
}
]
}
]References
github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388
github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c
github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649
github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a
github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p
Related
5.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
15.7%