Denial of Service Vulnerability in oidcc OpenID Connect Client for Erlang
CVE-2024-31209

Currently unrated

Key Information:

Vendor: Erlang Solutions
Status: oidcc
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-31209?

The oidcc library, utilized for implementing OpenID Connect in Erlang applications, is susceptible to a Denial of Service attack due to Atom exhaustion. This vulnerability can be exploited by invoking the functions oidcc_provider_configuration_worker:get_provider_configuration/1 or oidcc_provider_configuration_worker:get_jwks/1. Successful exploitation may lead to system instability and service interruption. Users are strongly encouraged to upgrade to version 3.1.2 or 3.2.0-beta.3, where this issue has been addressed.

References

https://github.com/erlef/oidcc/security/advisories/GHSA-m...

https://github.com/erlef/oidcc/commit/2f304d877c7e0613d6f...

https://github.com/erlef/oidcc/commit/48171fb62688fb4eec1...

Timeline

Vulnerability published
Apr 4, 2024

Erlang Solutions

What is CVE-2024-31209?

References

Timeline