Vulnerabilities > ORY

DATE CVE VULNERABILITY TITLE RISK
2021-06-22 CVE-2021-32701 Incorrect Authorization vulnerability in ORY Oathkeeper
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules.
network
ory CWE-863
4.3
2020-10-02 CVE-2020-15233 Open Redirect vulnerability in ORY Fosite
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go.
network
ory CWE-601
4.9
2020-10-02 CVE-2020-15234 Improper Handling of Case Sensitivity vulnerability in ORY Fosite
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go.
network
ory CWE-178
4.9
2020-09-24 CVE-2020-15223 Improper Check for Unusual or Exceptional Conditions vulnerability in ORY Fosite
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage.
network
high complexity
ory CWE-754
8.0
2020-09-24 CVE-2020-15222 Insufficient Verification of Data Authenticity vulnerability in ORY Fosite
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked.
network
ory CWE-345
5.8
2020-04-06 CVE-2020-5300 Authentication Bypass by Capture-replay vulnerability in ORY Hydra
In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token.
network
ory CWE-294
3.5
2019-02-17 CVE-2019-8400 Cross-site Scripting vulnerability in ORY Hydra
ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter.
network
ory CWE-79
4.3