Lucene search

GitHub Advisory DatabaseGHSA-4W59-C3GC-RRHP

HistoryFeb 28, 2023 - 11:20 p.m.

vantage6 refresh tokens do not expire

2023-02-2823:20:05

CWE-613

GitHub Advisory Database

github.com

vantage6

tokens

security

refresh token

nodes

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.3%

JSON

From issue:

Problem description
Currently, the refresh token is valid indefinitely. This is bad security practice.

Desired solution
The refresh token should get a validity of 24-48 hours.

Additional context

When implementing this, also check that the refresh token returns a new refresh token
When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid.
When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.

Impact

Patches

None available

Workarounds

None available

Affected configurations

Vulners

Node

vantage6vantage6Range<3.8.0

VendorProductVersionCPE
vantage6vantage6*cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vantage6	vantage6	*	cpe:2.3:a:vantage6:vantage6::::::::

References

github.com/advisories/GHSA-4w59-c3gc-rrhp

github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8

github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp

nvd.nist.gov/vuln/detail/CVE-2023-23929

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.3%

JSON

Related for GHSA-4W59-C3GC-RRHP