CVE Vulnerability

CVE-2020-15223

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 4.9 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319 Patch Third Party Advisory
https://tools.ietf.org/html/rfc7009#section-2.2.1 Third Party Advisory
https://github.com/ory/fosite/security/advisories/GHSA-7mqr-2v3q-v2wm Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:ory:fosite:*:*:*:*:*:*:*:*
Information

Published : 2020-09-24 05:15

Updated : 2022-10-21 06:09

NVD link : CVE-2020-15223

Mitre link : CVE-2020-15223

Products Affected
No products.
CWE
CWE-754