CVE-2020-15222 Information

Description

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0 when using \private_key_jwt\ authentication the uniqueness of the jti value is not checked. When using client authentication method \private_key_jwt\ OpenId specification says the following about assertion jti: \A unique identifier for the token which can be used to prevent reuse of the token. These tokens MUST only be used once unless conditions for reuse were negotiated between the parties. Hydra does not seem to check the uniqueness of this jti value. This problem is fixed in version 0.31.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Reference

https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9 https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43 https://openid.net/specs/openid-connect-core-1_0.htmlClientAuthentication

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.1