CVE-2020-15223

Name of the Vulnerable Software and Affected Versions ORY Fosite versions prior to 0.34.0

Description The issue arises from improper error handling in the TokenRevocationHandler, which ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. An attacker's ability to exploit this relies on the ability to trigger errors in the underlying storage.

Recommendations For versions prior to 0.34.0, update to version 0.34.0 to resolve the issue. As a temporary workaround, consider implementing additional error handling mechanisms for the TokenRevocationHandler to prevent unexpected 200 status codes. Restrict access to the token revocation endpoint to minimize the risk of exploitation until the update is applied.