CVE-2020-15223

Ignored storage errors on token revokation in ORY Fosite

CVSS 8 HIGHEPSS 1.6%CWE-755

In short

A security flaw in ORY Fosite's token revocation feature causes it to report success (HTTP 200) even when the token wasn't actually revoked from storage due to an error. This means attackers could exploit storage failures to keep using tokens that should have been invalidated.

Technical detail

The TokenRevocationHandler fails to properly handle storage errors during token revocation, returning success status codes regardless of whether the revocation persisted to the backend. An attacker who can trigger storage failures may maintain access with revoked tokens; exploitation depends on ability to induce storage layer errors. Fixed in version 0.34.0.

Summary generated and translated by AI from the official description.

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Affected products

ory · fosite

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319 https://github.com/ory/fosite/security/advisories/GHSA-7mqr-2v3q-v2wm https://tools.ietf.org/html/rfc7009#section-2.2.1