CVE Vulnerability

CVE-2020-15222

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.

5.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

8.1 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43 Exploit Third Party Advisory
https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9 Patch Third Party Advisory
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:ory:fosite:*:*:*:*:*:*:*:*
Information

Published : 2020-09-24 05:15

Updated : 2021-11-18 05:51

NVD link : CVE-2020-15222

Mitre link : CVE-2020-15222

Products Affected
No products.
CWE
CWE-345