34 matches found
EUVD-2021-1195
Malware in sbrugna...
EUVD-2021-1002
Malware in sbrugna...
EUVD-2021-1179
Malware in sbrugna...
CVE-2020-15234
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite before version 0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared wi...
CVE-2020-15223
In ORY Fosite the security first OAuth2 & OpenID Connect framework for Go before version 0.34.0, the TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can...
CVE-2020-15222
In ORY Fosite the security first OAuth2 & OpenID Connect framework for Go before version 0.31.0, when using "privatekeyjwt" authentication the uniqueness of the jti value is not checked. When using client authentication method "privatekeyjwt", OpenId specification says the following about asserti...
GO-2021-0110 Token reuse in github.com/ory/fosite
Uniqueness of JWT IDs jti are not checked, allowing the JWT to be replayed...
GO-2021-0109 Improper handling of token revocation in github.com/ory/fosite
Due to improper error handling, an error with the underlying token storage may cause a user to believe a token has been successfully revoked when it is in fact still valid. An attackers ability to exploit this relies on an ability to trigger errors in the underlying storage...
Insecure Redirect Validation
github.com/ory/fosite suffers from insecure redirect validation. The vulnerability exists due to the usage of strings.ToLower while they should have been compared with a simple string match...
Insecure Session Management
github.com/ory/fosite uses insecure session management. The vulnerability exists as it fails to validate the uniqueness of this jti value in privatekeyjwt client authentication method, allowing an attacker to send the same token request twice with the same jti assertion to get two access tokens...
GHSA-V3Q9-2P3M-7G43 Token reuse in Ory fosite
Impact When using client authentication method "privatekeyjwt" 1https://openid.net/specs/openid-connect-core-10.htmlClientAuthentication, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens...
Token reuse in Ory fosite
Impact When using client authentication method "privatekeyjwt" 1https://openid.net/specs/openid-connect-core-10.htmlClientAuthentication, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens...
CVE-2020-15234
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite before version 0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared wi...
CVE-2020-15233
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite from version 0.30.2 and before version 0.34.1, there is an issue in which an an attacker can override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback...
CVE-2020-15234
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite before version 0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared wi...
CVE-2020-15233
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite from version 0.30.2 and before version 0.34.1, there is an issue in which an an attacker can override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback...
Design/Logic Flaw
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite before version 0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared wi...
Design/Logic Flaw
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite from version 0.30.2 and before version 0.34.1, there is an issue in which an an attacker can override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback...
CVE-2020-15233
Summary: CVE-2020-15233 affects ORY Fosite
CVE-2020-15233 OAuth2 Redirect URL validity does not respect query parameters and character casing for loopback addresses
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite from version 0.30.2 and before version 0.34.1, there is an issue in which an an attacker can override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback...