8
CVE-2020-15223
- EPSS 1.59%
- Veröffentlicht 24.09.2020 17:15:13
- Zuletzt bearbeitet 21.11.2024 05:05:07
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginIgnored storage errors on token revokation in ORY Fosite
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.59% | 0.724 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8 | 1.6 | 5.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
|
| nvd@nist.gov | 4 | 4.9 | 4.9 |
AV:N/AC:H/Au:N/C:P/I:P/A:N
|
| security-advisories@github.com | 8 | 1.6 | 5.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
|
CWE-754 Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-755 Improper Handling of Exceptional Conditions
The product does not handle or incorrectly handles an exceptional condition.
https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319
https://github.com/ory/fosite/security/advisories/GHSA-7mqr-2v3q-v2wm
https://tools.ietf.org/html/rfc7009#section-2.2.1