CVE-2020-15223
published 2020-09-24CVE-2020-15223: In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the…
PriorityP339high8CVSS 3.1
AVNACHPRNUIRSCCHIHAN
EPSS
1.59%
72.6th percentile
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | ory_fosite | >= 0 < 0.34.0 | 0.34.0 |
| ory | fosite | < 0.34.0 | 0.34.0 |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper handling of token revocation in github.com/ory/fosite
osv·2021-07-28
CVE-2020-15223 Improper handling of token revocation in github.com/ory/fosite
Improper handling of token revocation in github.com/ory/fosite
Due to improper error handling, an error with the underlying token storage may cause a user to believe a token has been successfully revoked when it is in fact still valid. An attackers ability to exploit this relies on an ability to trigger errors in the underlying storage.
GHSA
Ory fosite contains Improper Handling of Exceptional Conditions
ghsa·2021-05-24
CVE-2020-15223 [HIGH] CWE-754 Ory fosite contains Improper Handling of Exceptional Conditions
Ory fosite contains Improper Handling of Exceptional Conditions
### Impact
The `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store.
### References
[RFC 7009](https://tools.ietf.org/html/rfc7009#section-2.2.1) states that a 503 HTTP code must be returned when the server has a problem.
OSV
Ory fosite contains Improper Handling of Exceptional Conditions
osv·2021-05-24
CVE-2020-15223 [HIGH] Ory fosite contains Improper Handling of Exceptional Conditions
Ory fosite contains Improper Handling of Exceptional Conditions
### Impact
The `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store.
### References
[RFC 7009](https://tools.ietf.org/html/rfc7009#section-2.2.1) states that a 503 HTTP code must be returned when the server has a problem.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319https://github.com/ory/fosite/security/advisories/GHSA-7mqr-2v3q-v2wmhttps://tools.ietf.org/html/rfc7009#section-2.2.1https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319https://github.com/ory/fosite/security/advisories/GHSA-7mqr-2v3q-v2wmhttps://tools.ietf.org/html/rfc7009#section-2.2.1
2020-09-24
Published