Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yY200LWp2NWctd2Njbc4AA80Y
zfr authentication adapter did not verify validity of tokens
Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release 0.1.2), tokens weren't checked for validity/expiration.
This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.
Permalink: https://github.com/advisories/GHSA-rcm4-jv5g-wccmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yY200LWp2NWctd2Njbc4AA80Y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-rcm4-jv5g-wccm
References:
- https://github.com/zf-fr/zfr-oauth2-server-module/issues/6
- https://github.com/zf-fr/zfr-oauth2-server-module/commit/2ca5bb1c2f11537be8f94ca6867d8d69789e744a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zfr/zfr-oauth2-server-module/2014-04-26.yaml
- https://github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2
- https://github.com/advisories/GHSA-rcm4-jv5g-wccm
Blast Radius: 7.2
Affected Packages
packagist:zfr/zfr-oauth2-server-module
Dependent packages: 2Dependent repositories: 9
Downloads: 32,422 total
Affected Version Ranges: < 0.1.2
Fixed in: 0.1.2
All affected versions: 0.1.0, 0.1.1
All unaffected versions: 0.1.2, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0