CVE-2020-15222
published 2020-09-24CVE-2020-15222: In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness…
PriorityP342high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
EPSS
0.87%
54.2th percentile
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | ory_fosite | >= 0 < 0.31.0 | 0.31.0 |
| ory | fosite | < 0.31.0 | 0.31.0 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Token reuse in github.com/ory/fosite
osv·2021-07-28
CVE-2020-15222 Token reuse in github.com/ory/fosite
Token reuse in github.com/ory/fosite
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be replayed.
GHSA
Token reuse in Ory fosite
ghsa·2021-05-24
CVE-2020-15222 [HIGH] CWE-287 Token reuse in Ory fosite
Token reuse in Ory fosite
### Impact
When using client authentication method "private_key_jwt" [[1]](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication), OpenId specification says the following about assertion `jti`:
> A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties
Hydra does not seem to check the uniqueness of this `jti` value. Here is me sending the same token request twice, hence with the same `jti` assertion, and getting two access tokens:
```
$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_cre
OSV
Token reuse in Ory fosite
osv·2021-05-24
CVE-2020-15222 [HIGH] Token reuse in Ory fosite
Token reuse in Ory fosite
### Impact
When using client authentication method "private_key_jwt" [[1]](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication), OpenId specification says the following about assertion `jti`:
> A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties
Hydra does not seem to check the uniqueness of this `jti` value. Here is me sending the same token request twice, hence with the same `jti` assertion, and getting two access tokens:
```
$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_cre
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthenticationhttps://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
2020-09-24
Published