Lucene search

GoogleOSV:GHSA-4W59-C3GC-RRHP

HistoryFeb 28, 2023 - 11:20 p.m.

vantage6 refresh tokens do not expire

2023-02-2823:20:05

Google

osv.dev

security token

expiration

ui adaptation

periodic refresh

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.3%

JSON

From issue:

Problem description
Currently, the refresh token is valid indefinitely. This is bad security practice.

Desired solution
The refresh token should get a validity of 24-48 hours.

Additional context

When implementing this, also check that the refresh token returns a new refresh token
When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid.
When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.

Impact

Patches

None available

Workarounds

None available

References

github.com/vantage6/vantage6

github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8

github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp

nvd.nist.gov/vuln/detail/CVE-2023-23929

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.3%

JSON

Related for OSV:GHSA-4W59-C3GC-RRHP