GHSA-rcm4-jv5g-wccm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rcm4-jv5g-wccm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-rcm4-jv5g-wccm/GHSA-rcm4-jv5g-wccm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rcm4-jv5g-wccm
- Published
- 2024-06-07T22:30:03Z
- Modified
- 2024-12-04T05:41:06.356157Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- zfr authentication adapter did not verify validity of tokens
- Details
-
Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release 0.1.2), tokens weren't checked for validity/expiration.
This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-613" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-06-07T22:30:03Z" }- References
-
- https://github.com/zf-fr/zfr-oauth2-server-module/issues/6
- https://github.com/zf-fr/zfr-oauth2-server-module/commit/2ca5bb1c2f11537be8f94ca6867d8d69789e744a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zfr/zfr-oauth2-server-module/2014-04-26.yaml
- https://github.com/zf-fr/zfr-oauth2-server-module
- https://github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2
Affected packages
Packagist / zfr/zfr-oauth2-server-module
Package
- Name
- zfr/zfr-oauth2-server-module
- Purl
- pkg:composer/zfr/zfr-oauth2-server-module