CVE-2020-15222 : In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) befo

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0.

Published 2020-09-24 17:15:13

Updated 2021-11-18 17:51:52

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2020-15222

ORY » Fosite
Versions before (<) 0.31.0
cpe:2.3:a:ory:fosite:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-15222

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-15222

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N	2.8	5.2	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2020-15222

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: security-advisories@github.com (Secondary)
CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-15222

https://github.com/ory/fosite/security/advisories/GHSA-v3q9-2p3m-7g43

Disallow replay of `private_key_jwt` by blacklisting JTIs · Advisory · ory/fosite · GitHub
Exploit;Third Party Advisory
https://github.com/ory/fosite/commit/0c9e0f6d654913ad57c507dd9a36631e1858a3e9

Merge pull request from GHSA-v3q9-2p3m-7g43 · ory/fosite@0c9e0f6 · GitHub
Patch;Third Party Advisory
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Final: OpenID Connect Core 1.0 incorporating errata set 1
Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-15222

Products affected by CVE-2020-15222

Exploit prediction scoring system (EPSS) score for CVE-2020-15222

CVSS scores for CVE-2020-15222

CWE ids for CVE-2020-15222

References for CVE-2020-15222