Search criteria
1 vulnerability by erlef
CVE-2024-31209 (GCVE-0-2024-31209)
Vulnerability from cvelistv5 – Published: 2024-04-04 16:04 – Updated: 2024-09-03 18:26
VLAI?
Title
OpenID Connect client Atom Exhaustion in provider configuration worker ets table location
Summary
oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. This issue has been patched in version(s)`3.1.2` & `3.2.0-beta.3`.
Severity ?
5.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p"
},
{
"name": "https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c"
},
{
"name": "https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649"
},
{
"name": "https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a"
},
{
"name": "https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T15:32:55.551475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:26:21.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "oidcc",
"vendor": "erlef",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-beta.1, \u003c 3.2.0-beta.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. This issue has been patched in version(s)`3.1.2` \u0026 `3.2.0-beta.3`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-04T16:04:43.255Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p"
},
{
"name": "https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c"
},
{
"name": "https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649"
},
{
"name": "https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a"
},
{
"name": "https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388"
}
],
"source": {
"advisory": "GHSA-mj35-2rgf-cv8p",
"discovery": "UNKNOWN"
},
"title": "OpenID Connect client Atom Exhaustion in provider configuration worker ets table location"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31209",
"datePublished": "2024-04-04T16:04:43.255Z",
"dateReserved": "2024-03-29T14:16:31.900Z",
"dateUpdated": "2024-09-03T18:26:21.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}