CVE-2020-15222
Summary
| CVE | CVE-2020-15222 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-09-24 17:15:00 UTC |
| Updated | 2021-11-18 17:51:00 UTC |
| Description | In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0. |
Risk And Classification
Problem Types: CWE-345
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Draft: OpenID Connect Core 1.0 - draft 11 | MISC | openid.net | Third Party Advisory |
| Disallow replay of `private_key_jwt` by blacklisting JTIs · Advisory · ory/fosite · GitHub | CONFIRM | github.com | Exploit, Third Party Advisory |
| Merge pull request from GHSA-v3q9-2p3m-7g43 · ory/fosite@0c9e0f6 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980047 Go (go) Security Update for github.com/ory/fosite (GHSA-v3q9-2p3m-7g43)