2 matches found
CVE-2020-5300
In Hydra an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go, before version 1.4.0+oryOS.17, when using client authentication method 'privatekeyjwt' 1, OpenId specification says the following about assertion jti: "A unique identifier for the token, which can be used to...
CVE-2020-5300
Hydra (Go-based OAuth2/OpenID provider) before version 1.4.0+oryOS.17 is affected when using client authentication with private_key_jwt because it does not enforce uniqueness of the JWT jti value, enabling potential token replay within the token’s expiry window. A patch is published in v1.4.0+ory...