漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Oxia: OIDC token audience validation bypass via SkipClientIDCheck
Vulnerability Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia. This vulnerability is fixed in 0.16.2.
CVSS Information
N/A
Vulnerability Type
认证机制不恰当
Vulnerability Title
oxia 授权问题漏洞
Vulnerability Description
oxia是Oxia开源的一个分布式元数据存储与协调系统。 Oxia 0.16.2之前版本存在授权问题漏洞,该漏洞源于OIDC身份验证提供程序无条件地在go-oidc验证器配置中设置SkipClientIDCheck: true,禁用了库级别的标准受众声明验证,可能导致同一OIDC颁发者为无关服务颁发的令牌被Oxia接受。
CVSS Information
N/A
Vulnerability Type
N/A