CVE-2020-15222

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15222
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15222.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-15222
Aliases
Related
Published
2020-09-24T17:15:13Z
Modified
2025-01-15T01:43:01.794555Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "privatekeyjwt" authentication the uniqueness of the jti value is not checked. When using client authentication method "privatekeyjwt", OpenId specification says the following about assertion jti: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this jti value. This problem is fixed in version 0.31.0.

References

Affected packages

Git / github.com/ory/fosite

Affected ranges

Type
GIT
Repo
https://github.com/ory/fosite
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v0.*

v0.1.0
v0.10.0
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.12.0
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.4
v0.15.5
v0.15.6
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.16.5
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.19.3
v0.19.4
v0.19.5
v0.19.6
v0.19.7
v0.19.8
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.20.0
v0.20.1
v0.20.2
v0.20.3
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.21.4
v0.21.5
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.25.1
v0.26.0
v0.26.1
v0.27.0
v0.27.1
v0.27.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.29.6
v0.29.7
v0.29.8
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.30.0
v0.30.1
v0.30.2
v0.30.3
v0.30.4
v0.30.5
v0.30.6
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.6.1
v0.6.10
v0.6.11
v0.6.12
v0.6.13
v0.6.14
v0.6.15
v0.6.17
v0.6.18
v0.6.19
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.6.9
v0.7.0
v0.8.0
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7