CVE-2020-5300

Name of the Vulnerable Software and Affected Versions Hydra versions prior to 1.4.0+oryOS.17

Description The issue concerns Hydra, an OAuth2 Server and OpenID Certified OpenID Connect Provider written in Go. When using the client authentication method 'private key jwt', Hydra does not check the uniqueness of the jti value in the token, which can be used to prevent token reuse. Although exploiting this issue is somewhat difficult due to TLS protection against MITM attacks and the short expiry time of the JWT, it still poses a risk.

Recommendations For versions prior to 1.4.0+oryOS.17, update to version 1.4.0+oryOS.17 to resolve the issue. As a temporary workaround, consider disabling the use of 'private key jwt' for client authentication. Alternatively, use short expiry times for the JWTs to minimize the window of opportunity for token replay attacks.