CVE-2024-31209

Name of the Vulnerable Software and Affected Versions oidcc versions prior to 3.0.2 oidcc versions prior to 3.1.2 oidcc versions prior to 3.2.0-beta.3

Description A Denial of Service (DoS) by Atom exhaustion is possible by calling oidcc provider configuration worker:get provider configuration/1 or oidcc provider configuration worker:get jwks/1. This issue is unlikely to be exploited since the name is usually provided as a static value in the application using oidcc. The vulnerability is present in oidcc provider configuration worker:get ets table name/1, where the function get ets table name is calling erlang:list to atom/1. There is a highly improbable case where the 2nd argument of oidcc provider configuration worker:get */1 is called with a different atom each time, leading to the atom table filling up and the node crashing.

Recommendations For oidcc versions prior to 3.0.2, update to version 3.0.2 or later. For oidcc versions prior to 3.1.2, update to version 3.1.2 or later. For oidcc versions prior to 3.2.0-beta.3, update to version 3.2.0-beta.3 or later. As a temporary workaround, make sure only valid provider configuration worker names are passed to the functions oidcc provider configuration worker:get provider configuration/1 and oidcc provider configuration worker:get jwks/1.