CVE-2020-15223
Summary
| CVE | CVE-2020-15223 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-09-24 17:15:00 UTC |
| Updated | 2022-10-21 18:09:00 UTC |
| Description | In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0 |
Risk And Classification
Problem Types: CWE-754
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| RFC 7009 - OAuth 2.0 Token Revocation | MISC | tools.ietf.org | Third Party Advisory |
| Token revokation incorrectly ignores storage errors · Advisory · ory/fosite · GitHub | CONFIRM | github.com | Third Party Advisory |
| Merge pull request from GHSA-7mqr-2v3q-v2wm · ory/fosite@03dd558 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982409 Go (go) Security Update for github.com/ory/fosite/handler/oauth2 (GHSA-7mqr-2v3q-v2wm)