CVE-2023-23929
HIGH8.8EPSS 0.28%vantage6 refresh tokens do not expire
發布日:2023/2/28修改日:2024/11/18
描述
From issue: Problem description Currently, the refresh token is valid indefinitely. This is bad security practice. Desired solution The refresh token should get a validity of 24-48 hours. Additional context When implementing this, also check that the refresh token returns a new refresh token When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid. When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually. ### Impact ### Patches None available ### Workarounds None available
受影響套件(2)
- PyPI/vantage6from 0, < 3.8.0
- PyPI/vantage6from 0, < 48ebfca42359e9a6743e9598684585e2522cdce8 | from 0, < 3.8.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-23929
- PATCHhttps://github.com/vantage6/vantage6
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-54.yaml
- WEBhttps://github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8
- WEBhttps://github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp