CVE-2023-23929 – vantage6

Package

Manager: pip
Name: vantage6
Vulnerable Version: >=0 <3.8.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00075 pctl0.2332

Details

vantage6 refresh tokens do not expire From issue: Problem description Currently, the refresh token is valid indefinitely. This is bad security practice. Desired solution The refresh token should get a validity of 24-48 hours. Additional context When implementing this, also check that the refresh token returns a new refresh token When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid. When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually. ### Impact ### Patches None available ### Workarounds None available

Metadata

Created: 2023-02-28T23:20:05Z
Modified: 2024-11-18T23:10:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-4w59-c3gc-rrhp/GHSA-4w59-c3gc-rrhp.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-4w59-c3gc-rrhp
Finding: F076
Auto approve: 1