Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00dzU5LWMzZ2MtcnJocM4AAx3q

vantage6 refresh tokens do not expire

From issue:

Problem description
Currently, the refresh token is valid indefinitely. This is bad security practice.

Desired solution
The refresh token should get a validity of 24-48 hours.

Additional context

When implementing this, also check that the refresh token returns a new refresh token
When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid.
When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.

Impact

Patches

None available

Workarounds

None available

Permalink: https://github.com/advisories/GHSA-4w59-c3gc-rrhp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00dzU5LWMzZ2MtcnJocM4AAx3q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 2 days ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-4w59-c3gc-rrhp, CVE-2023-23929
References:

• https://github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp
• https://github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8
• https://nvd.nist.gov/vuln/detail/CVE-2023-23929
• https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-54.yaml
• https://github.com/advisories/GHSA-4w59-c3gc-rrhp

Repository: https://github.com/vantage6/vantage6
Blast Radius: 8.4

Affected Packages