CVE-2020-15222

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-15222

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15222.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-15222

Aliases

Related

GHSA-v3q9-2p3m-7g43

Published

2020-09-24T17:15:13Z

Modified

2025-10-15T12:03:19.727780Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "privatekeyjwt" authentication the uniqueness of the jti value is not checked. When using client authentication method "privatekeyjwt", OpenId specification says the following about assertion jti: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this jti value. This problem is fixed in version 0.31.0.

References

Affected packages

Git / github.com/ory/fosite

Affected ranges

Type: GIT
Repo: https://github.com/ory/fosite
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0c9e0f6d654913ad57c507dd9a36631e1858a3e9

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.11.4

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.15.6

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.17.0

v0.17.1

v0.17.2

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.19.3

v0.19.4

v0.19.5

v0.19.6

v0.19.7

v0.19.8

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.20.0

v0.20.1

v0.20.2

v0.20.3

v0.21.0

v0.21.1

v0.21.2

v0.21.3

v0.21.4

v0.21.5

v0.22.0

v0.23.0

v0.24.0

v0.25.0

v0.25.1

v0.26.0

v0.26.1

v0.27.0

v0.27.1

v0.27.2

v0.27.3

v0.27.4

v0.28.0

v0.28.1

v0.29.0

v0.29.1

v0.29.2

v0.29.3

v0.29.4

v0.29.5

v0.29.6

v0.29.7

v0.29.8

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.30.0

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.30.5

v0.30.6

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.6.1

v0.6.10

v0.6.11

v0.6.12

v0.6.13

v0.6.14

v0.6.15

v0.6.17

v0.6.18

v0.6.19

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.6.9

v0.7.0

v0.8.0

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v0.9.5

v0.9.6

v0.9.7