GSD-2020-15222
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-15222",
"description": "In ORY Fosite (the security first OAuth2 \u0026 OpenID Connect framework for Go) before version 0.31.0, when using \"private_key_jwt\" authentication the uniqueness of the `jti` value is not checked. When using client authentication method \"private_key_jwt\", OpenId specification says the following about assertion `jti`: \"A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties\". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.",
"id": "GSD-2020-15222"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-15222"
],
"details": "In ORY Fosite (the security first OAuth2 \u0026 OpenID Connect framework for Go) before version 0.31.0, when using \"private_key_jwt\" authentication the uniqueness of the `jti` value is not checked. When using client authentication method \"private_key_jwt\", OpenId specification says the following about assertion `jti`: \"A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties\". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.",
"id": "GSD-2020-15222",
"modified": "2023-12-13T01:21:44.012391Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15222",
"STATE": "PUBLIC",
"TITLE": "Replay of private_key_jwt possible in ORY Fosite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fosite",
"version": {
"version_data": [
{
"version_value": "\u003c 0.31.0"
}
]
}
}
]
},
"vendor_name": "ory"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ORY Fosite (the security first OAuth2 \u0026 OpenID Connect framework for Go) before version 0.31.0, when using \"private_key_jwt\" authentication the uniqueness of the `jti` value is not checked. When using client authentication method \"private_key_jwt\", OpenId specification says the following about assertion `jti`: \"A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties\". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43",
"refsource": "CONFIRM",
"url": "https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43"
},
{
"name": "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9",
"refsource": "MISC",
"url": "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9"
},
{
"name": "https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication",
"refsource": "MISC",
"url": "https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication"
}
]
},
"source": {
"advisory": "GHSA-v3q9-2p3m-7g43",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv0.31.0",
"affected_versions": "All versions before 0.31.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-345",
"CWE-937"
],
"date": "2021-11-18",
"description": "In ORY Fosite (the security first OAuth2 \u0026 OpenID Connect framework for Go), when using `private_key_jwt` authentication the uniqueness of the `jti` value is not checked.",
"fixed_versions": [
"v0.31.0"
],
"identifier": "CVE-2020-15222",
"identifiers": [
"CVE-2020-15222",
"GHSA-v3q9-2p3m-7g43"
],
"not_impacted": "All versions starting from 0.31.0",
"package_slug": "go/github.com/ory/fosite",
"pubdate": "2020-09-24",
"solution": "Upgrade to version 0.31.0 or above.",
"title": "Improper Authentication",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15222"
],
"uuid": "4c85b650-cc36-4980-bc0f-993c96b1b4ca",
"versions": [
{
"commit": {
"sha": "0c9e0f6d654913ad57c507dd9a36631e1858a3e9",
"tags": [
"v0.31.0"
],
"timestamp": "20200329092731"
},
"number": "v0.31.0"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ory:fosite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.31.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15222"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In ORY Fosite (the security first OAuth2 \u0026 OpenID Connect framework for Go) before version 0.31.0, when using \"private_key_jwt\" authentication the uniqueness of the `jti` value is not checked. When using client authentication method \"private_key_jwt\", OpenId specification says the following about assertion `jti`: \"A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties\". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43"
},
{
"name": "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9"
},
{
"name": "https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2
}
},
"lastModifiedDate": "2021-11-18T17:51Z",
"publishedDate": "2020-09-24T17:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…