GHSA-4W59-C3GC-RRHP

Vulnerability from github – Published: 2023-02-28 23:20 – Updated: 2024-11-18 23:10
VLAI?
Summary
vantage6 refresh tokens do not expire
Details

From issue:

Problem description Currently, the refresh token is valid indefinitely. This is bad security practice.

Desired solution The refresh token should get a validity of 24-48 hours.

Additional context

When implementing this, also check that the refresh token returns a new refresh token When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid. When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.

Impact

Patches

None available

Workarounds

None available

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-28T23:20:05Z",
    "nvd_published_at": "2023-03-04T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "From issue: \n\nProblem description\nCurrently, the refresh token is valid indefinitely. This is bad security practice.\n\nDesired solution\nThe refresh token should get a validity of 24-48 hours.\n\nAdditional context\n\nWhen implementing this, also check that the refresh token returns a new refresh token\nWhen implementing this, also adapt the UI so that it logs out if refresh token is no longer valid.\nWhen implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.\n\n\n### Impact\n### Patches\nNone available \n\n### Workarounds\nNone available\n\n",
  "id": "GHSA-4w59-c3gc-rrhp",
  "modified": "2024-11-18T23:10:57Z",
  "published": "2023-02-28T23:20:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-54.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vantage6/vantage6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "vantage6 refresh tokens do not expire"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.