cbcvebase.

Github.Com Ory Fosite vulnerabilities

4 known vulnerabilities affecting github.com/ory_fosite.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2020-15222P3HIGH≥ 0, < 0.31.02021-05-24
CVE-2020-15222 [HIGH] CWE-287 Token reuse in Ory fosite Token reuse in Ory fosite ### Impact When using client authentication method "private_key_jwt" [[1]](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication), OpenId specification says the following about assertion `jti`: > A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties Hydra does n
ghsaosv
CVE-2020-15223P3HIGH≥ 0, < 0.34.02021-05-24
CVE-2020-15223 [HIGH] CWE-754 Ory fosite contains Improper Handling of Exceptional Conditions Ory fosite contains Improper Handling of Exceptional Conditions ### Impact The `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. ### References [RFC 7009](https://tools.ietf
ghsaosv
CVE-2020-15233P4MEDIUM≥ 0.30.3, < 0.34.12021-05-24
CVE-2020-15233 [MEDIUM] CWE-20 OAuth2 Redirect URL validity does not respect query parameters and character casing for loopback addresses OAuth2 Redirect URL validity does not respect query parameters and character casing for loopback addresses ### Impact [fosite#400](https://github.com/ory/fosite/pull/400) (released as v0.30.2) introduced a new feature for handling redirect URLs pointing to loopback interfaces ([rfc8252#section-7.3](https://tools.ietf.org/html/rfc8252#section-7.3)). As part o
ghsaosv
CVE-2020-15234P4MEDIUM≥ 0, < 0.34.12021-05-24
CVE-2020-15234 [MEDIUM] CWE-178 Redirect URL matching ignores character casing Redirect URL matching ignores character casing ### Impact Before version v0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using `strings.ToLower` while they should have been compared with a simple string match: 1. Registering a client with allowed redirect URL `https://example.com/callback` 2. Performing OAuth2 flow and reques
ghsaosv
Github.Com Ory Fosite vulnerabilities | cvebase