CVE-2024-31209
OpenID Connect client Atom Exhaustion in provider configuration worker ets table location
oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. This issue has been patched in version(s)`3.1.2` & `3.2.0-beta.3`.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
Affected products
erlef · oidccWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355chttps://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1ahttps://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p