GHSA-XMJ9-7625-F634

Vulnerability from github – Published: 2026-04-15 19:19 – Updated: 2026-04-15 19:19
VLAI?
Summary
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache
Details

Affected Components

Summary

  • The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider.
  • The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired.

Impact

  • Performance: Every OIDC-authenticated request added network round-trips to the OIDC provider, increasing latency
  • Reliability: Cached OIDC tokens become unusable after expiration and can only be invalidated by restart of the BPE. If the OIDC provider is temporarily unreachable, all requests fail immediately instead of using cached keys
  • Load: Unnecessary load on the OIDC provider, potentially causing rate limiting

Fix (commits 31c2e974d, d3ca59b4d)

  • Fixed cache timeout comparison from isBefore to isAfter in BaseOidcClientWithCache (configuration and JWKS caches) and OidcClientWithCache (configuration, JWKS, and access token caches)
  • Added configurable cache timeouts via dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource and dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource (default: PT1H)
Severity ?
6.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "dev.dsf:dsf-bpe-process-api-v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "dev.dsf:dsf-bpe-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:19:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Affected Components\n- DSF FHIR Server with enabled [bearer-token authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html) or [back-channel logout](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).\n- DSF BPE Server with enabled [bearer-token authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html) or [back-channel logout](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).\n- DSF BPE Server API v2 process plugins using [FHIR client connections](https://dsf.dev/operations/v2.1.0/bpe/fhir-client-connections.html) with configured OIDC authentication.\n\n### Summary\n- The OIDC JWKS and Metadata Document caches used an inverted time comparison (`isBefore` instead of `isAfter`), causing the cache to **never return cached values**. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider.\n- The OIDC token cache for the [FHIR client connections](https://dsf.dev/operations/v2.1.0/bpe/fhir-client-connections.html) used an inverted time comparison (`isBefore` instead of `isAfter`), causing the cache to **never invalidate**. Every incoming request returned the same OIDC token even if expired.\n\n### Impact\n- **Performance:** Every OIDC-authenticated request added network round-trips to the OIDC provider, increasing latency\n- **Reliability:** Cached OIDC tokens become unusable after expiration and can only be invalidated by restart of the BPE. \n If the OIDC provider is temporarily unreachable, all requests fail immediately instead of using cached keys\n- **Load:** Unnecessary load on the OIDC provider, potentially causing rate limiting\n\n### Fix (commits 31c2e974d, d3ca59b4d)\n- Fixed cache timeout comparison from `isBefore` to `isAfter` in `BaseOidcClientWithCache` (configuration and JWKS caches) and `OidcClientWithCache` (configuration, JWKS, and access token caches)\n- Added configurable cache timeouts via `dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource` and `dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource` (default: `PT1H`)",
  "id": "GHSA-xmj9-7625-f634",
  "modified": "2026-04-15T19:19:50Z",
  "published": "2026-04-15T19:19:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/datasharingframework/dsf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.