CVE-XXXX-0001

OpenID Connect client Atom Exhaustion in provider configuration worker ets table location

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type

CWE-400: Uncontrolled Resource Consumption

CSSS Base Score

10

Severity

CRITICAL

CVSS Vector

CVSS:4.0/​AV:N/​AC:L/​AT:N/​PR:N/​UI:N/​VC:H/​VI:H/​VA:H/​SC:H/​SI:H/​SA:H

Summary

OpenID Connect client Atom Exhaustion in provider configuration worker ets table location

Vulnerability description

oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. This issue has been patched in version(s)`3.1.2` & `3.2.0-beta.3`.

References

• https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p
• https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c
• https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649
• https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a
• https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388

Affected

Hex: oidcc

• affected >= 3.0.0, < 3.0.2
• affected >= 3.1.0, < 3.1.2
• affected >= 3.2.0-beta.1, < 3.2.0-beta.3

GitHub: erlef/oidcc

• affected >= 3.0.0, < 3.0.2
• affected >= 3.1.0, < 3.1.2
• affected >= 3.2.0-beta.1, < 3.2.0-beta.3

CVE can also be requested as a JSON: GET /cves/cve-xxxx-0001.json