Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

1 vulnerability by erlef

CVE-2024-31209 (GCVE-0-2024-31209)

Vulnerability from cvelistv5 – Published: 2024-04-04 16:04 – Updated: 2024-09-03 18:26
VLAI
Title
OpenID Connect client Atom Exhaustion in provider configuration worker ets table location
Summary
oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. This issue has been patched in version(s)`3.1.2` & `3.2.0-beta.3`.
Severity
5.3 (Medium)
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
Vendor Product Version
erlef oidcc Affected: >= 3.0.0, < 3.0.2
Affected: >= 3.1.0, < 3.1.2
Affected: >= 3.2.0-beta.1, < 3.2.0-beta.3
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:46:04.592Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p"
          },
          {
            "name": "https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c"
          },
          {
            "name": "https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649"
          },
          {
            "name": "https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a"
          },
          {
            "name": "https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-31209",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-07T15:32:55.551475Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T18:26:21.909Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "oidcc",
          "vendor": "erlef",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.0.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.1.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.2.0-beta.1, \u003c 3.2.0-beta.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. This issue has been patched in version(s)`3.1.2` \u0026 `3.2.0-beta.3`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-04T16:04:43.255Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p"
        },
        {
          "name": "https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355c"
        },
        {
          "name": "https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649"
        },
        {
          "name": "https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1a"
        },
        {
          "name": "https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388"
        }
      ],
      "source": {
        "advisory": "GHSA-mj35-2rgf-cv8p",
        "discovery": "UNKNOWN"
      },
      "title": "OpenID Connect client Atom Exhaustion in provider configuration worker ets table location"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-31209",
    "datePublished": "2024-04-04T16:04:43.255Z",
    "dateReserved": "2024-03-29T14:16:31.900Z",
    "dateUpdated": "2024-09-03T18:26:21.909Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}