GHSA-7mqr-2v3q-v2wm

Suggest an improvement
Source
https://github.com/advisories/GHSA-7mqr-2v3q-v2wm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-7mqr-2v3q-v2wm/GHSA-7mqr-2v3q-v2wm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-7mqr-2v3q-v2wm
Aliases
Related
Published
2021-05-24T16:57:39Z
Modified
2023-11-01T04:52:01.067901Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Ory fosite contains Improper Handling of Exceptional Conditions
Details

Impact

The TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store.

References

RFC 7009 states that a 503 HTTP code must be returned when the server has a problem.

Database specific
{
    "nvd_published_at": "2020-09-24T17:15:00Z",
    "github_reviewed_at": "2021-05-24T12:53:07Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-754",
        "CWE-755"
    ]
}
References

Affected packages

Go / github.com/ory/fosite

Package

Name
github.com/ory/fosite
View open source insights on deps.dev
Purl
pkg:golang/github.com/ory/fosite

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.34.0