Uncontrolled Resource Consumption ('Resource Exhaustion') Affecting oidcc package, versions >=3.0.0 <3.0.2>=3.1.0 <3.1.2>=3.2.0-beta.1 <3.2.0-beta.3


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.24% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-HEX-OIDCC-6564983
  • published5 Apr 2024
  • disclosed3 Apr 2024
  • creditMohamed Ali Khechine, Robert Fiko

Introduced: 3 Apr 2024

CVE-2024-31209  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade oidcc to version 3.0.2, 3.1.2, 3.2.0-beta.3 or higher.

Overview

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the get_ets_table_name function. An attacker can cause a denial of service by repeatedly invoking oidcc_provider_configuration_worker:get_provider_configuration/1 or oidcc_provider_configuration_worker:get_jwks/1 with varying atom values, leading to atom table exhaustion and potential node crash. This scenario, however, is highly improbable as the name is typically a static value in applications using oidcc.

Workaround

Make sure only valid provider configuration worker names are passed to the functions.

PoC

{ok, Claims} =
  oidcc:retrieve_userinfo(
    Token,
    myapp_oidcc_config_provider,
    <<"client_id">>,
    <<"client_secret">>,
    #{}
  )

CVSS Base Scores

version 3.1