Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange
Vulnerability Description
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
Pocket ID 安全漏洞
Vulnerability Description
Pocket ID是Pocket ID开源的一个支持无密码认证的OIDC身份提供商。 Pocket ID 2.4.0之前版本存在安全漏洞,该漏洞源于OIDC令牌端点仅在客户端ID错误且代码过期时才拒绝授权代码,可能导致跨客户端代码交换和过期代码重用。
CVSS Information
N/A
Vulnerability Type
N/A