Improper Handling of Exceptional Conditions

Affecting github.com/ory/fosite/handler/oauth2 package, versions <0.34.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

github.com/ory/fosite/handler/oauth2 is an OAuth2 & OpenID Connect framework for Go.

Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions. The TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store.

Remediation

Upgrade github.com/ory/fosite/handler/oauth2 to version 0.34.0 or higher.

References

CVSS Score

8.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N/RL:O
Credit
Unknown
CVE
CVE-2020-15223
CWE
CWE-755
Snyk ID
SNYK-GOLANG-GITHUBCOMORYFOSITEHANDLEROAUTH2-1012739
Disclosed
25 Sep, 2020
Published
25 Sep, 2020