How severe is CVE-2020-5300?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2020-5300?

This is classified as CWE-294, which is a common weakness in software security.

CVE-2020-5300 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not check the uniqueness of this `jti` value. Exploiting this vulnerability is somewhat difficult because: - TLS protects against MITM which makes it difficult to intercept valid tokens for replay attacks - The expiry time of the JWT gives only a short window of opportunity where it could be replayed This has been patched in version v1.4.0+oryOS.17

Related Vulnerabilities

CVE-2018-14781

MEDIUM

CVSS:5.3(Medium)

Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker ...

CWE-2942018

CVE-2018-16242

MEDIUM

CVSS:5.3(Medium)

oBike relies on Hangzhou Luoping Smart Locker to lock bicycles, which allows attackers to bypass the locking mechanism by using Bluetooth Low Energy (BLE) to replay ciphertext based on a predictable n...

CWE-2942018

CVE-2021-46145

MEDIUM

CVSS:5.3(Medium)

The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. This is related to a non-expiring rolling code and counter resynchronization.

CWE-2942021

CVE-2022-27254

MEDIUM

CVSS:5.3(Medium)

The remote keyless system on Honda Civic 2018 vehicles sends the same RF signal for each door-open request, which allows for a replay attack, a related issue to CVE-2019-20626.

CWE-2942022

CVE-2023-1537

MEDIUM

CVSS:5.3(Medium)

Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6.

CWE-2942023

CVE-2023-50128

MEDIUM

CVSS:5.3(Medium)

The remote keyless system of the Hozard alarm system (alarmsystemen) v1.0 sends an identical radio frequency signal for each request, which results in an attacker being able to conduct replay attacks ...

CWE-2942023