Vulnerabilities > ORY
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-22 | CVE-2021-32701 | Incorrect Authorization vulnerability in ORY Oathkeeper ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. | 7.5 |
| 2020-10-02 | CVE-2020-15233 | Open Redirect vulnerability in ORY Fosite ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. | 4.8 |
| 2020-10-02 | CVE-2020-15234 | Improper Handling of Case Sensitivity vulnerability in ORY Fosite ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. | 4.8 |
| 2020-09-24 | CVE-2020-15223 | Improper Check for Unusual or Exceptional Conditions vulnerability in ORY Fosite In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. | 8.0 |
| 2020-09-24 | CVE-2020-15222 | Insufficient Verification of Data Authenticity vulnerability in ORY Fosite In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. | 8.1 |
| 2020-04-06 | CVE-2020-5300 | Authentication Bypass by Capture-replay vulnerability in ORY Hydra In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. | 5.3 |
| 2019-02-17 | CVE-2019-8400 | Cross-site Scripting vulnerability in ORY Hydra ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter. | 6.1 |