GHSA-4w59-c3gc-rrhp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4w59-c3gc-rrhp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-4w59-c3gc-rrhp/GHSA-4w59-c3gc-rrhp.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4w59-c3gc-rrhp
- Aliases
- Related
- Published
- 2023-02-28T23:20:05Z
- Modified
- 2024-11-18T23:24:30.236080Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- vantage6 refresh tokens do not expire
- Details
-
From issue:
Problem description Currently, the refresh token is valid indefinitely. This is bad security practice.
Desired solution The refresh token should get a validity of 24-48 hours.
Additional context
When implementing this, also check that the refresh token returns a new refresh token When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid. When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.
Impact
Patches
None available
Workarounds
None available
- Database specific
{ "github_reviewed_at": "2023-02-28T23:20:05Z", "severity": "HIGH", "nvd_published_at": "2023-03-04T00:15:00Z", "github_reviewed": true, "cwe_ids": [ "CWE-613" ] }- References
-
- https://github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp
- https://nvd.nist.gov/vuln/detail/CVE-2023-23929
- https://github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8
- https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-54.yaml
- https://github.com/vantage6/vantage6
Affected packages
PyPI / vantage6
Package
- Name
- vantage6
- View open source insights on deps.dev
- Purl
- pkg:pypi/vantage6
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.8.0
Affected versions
0.*
0.0.0b0
0.0.0b1
0.0.0b3
0.0.0
1.*
1.0.0a1
1.0.0a2
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0b5
1.0.0b6
1.0.0b7
1.0.0b8
1.0.0b9
1.0.0b10
1.0.0b11
1.0.0b12
1.0.0b13
1.0.0b14
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.3.post2
2.*
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0
2.0.0.post1
2.0.1rc1
2.0.1rc2
2.1.0rc1
2.1.0
2.1.1
2.2.0b1
2.2.0b2
2.2.0b3
2.2.0b4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.3.0rc1
2.3.0rc2
2.3.0rc3
2.3.0rc4
2.3.0rc5
2.3.0
2.3.1
2.3.2rc1
2.3.2
2.3.3
2.3.4
2.3.5b1
2.3.5
3.*
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0b5
3.0.0b6
3.0.0b7
3.0.0b8
3.0.0rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0rc1
3.1.0rc5
3.1.0rc6
3.1.0rc7
3.1.0rc8
3.1.0rc9
3.1.0
3.1.1rc1
3.1.1rc2
3.2.0rc1
3.2.0rc2
3.2.0rc3
3.2.0rc4
3.2.0rc5
3.2.0
3.3.0a0
3.3.0rc1
3.3.0rc2
3.3.0rc3
3.3.0rc4
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7a2
3.3.7a3
3.3.7
3.3.8a1
3.3.8a2
3.3.8a4
3.3.8a5
3.3.8a6
3.3.8a7
3.3.8a8
3.4.0a1
3.4.0a2
3.4.0a3
3.4.0a6
3.4.0
3.4.1a0
3.4.1a1
3.4.1a2
3.4.1a3
3.4.1
3.4.2a0
3.4.2
3.4.3
3.5.0rc1
3.5.0rc2
3.5.0rc3
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1rc1
3.6.1rc2
3.6.1rc3
3.6.1
3.7.0rc1
3.7.0rc2
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0rc3