GHSA-rcm4-jv5g-wccm: zfr authentication adapter did not verify validity of tokens
Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release 0.1.2), tokens weren’t checked for validity/expiration.
This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/zfr/zfr-oauth2-server-module/2014-04-26.yaml
- github.com/advisories/GHSA-rcm4-jv5g-wccm
- github.com/zf-fr/zfr-oauth2-server-module
- github.com/zf-fr/zfr-oauth2-server-module/commit/2ca5bb1c2f11537be8f94ca6867d8d69789e744a
- github.com/zf-fr/zfr-oauth2-server-module/issues/6
- github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2
Code Behaviors & Features
Detect and mitigate GHSA-rcm4-jv5g-wccm with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →