CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling oidcc_provider_configuration_worker:get_provider_configuration/1
or oidcc_provider_configuration_worker:get_jwks/1
. This issue has been patched in version(s)3.1.2
& 3.2.0-beta.3
.
github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388
github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c
github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649
github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a
github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial