How severe is CVE-2023-20903?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.3 out of 10.

What type of vulnerability is CVE-2023-20903?

This is classified as CWE-613, which is a common weakness in software security.

CVE-2023-20903 - MEDIUM Severity | CVSS 4.3

Vulnerability Description

This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).

Related Vulnerabilities

CVE-2020-13305

MEDIUM

CVSS:4.3(Medium)

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project.

CWE-6132020

CVE-2020-1724

MEDIUM

CVSS:4.3(Medium)

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account man...

CWE-6132020

CVE-2020-1776

MEDIUM

CVSS:4.3(Medium)

When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affect...

CWE-6132020

CVE-2020-4780

MEDIUM

CVSS:4.3(Medium)

OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookie...

CWE-6132020

CVE-2021-20431

MEDIUM

CVSS:4.3(Medium)

IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force ID: 196...

CWE-6132021

CVE-2021-20581

MEDIUM

CVSS:4.3(Medium)

IBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 199324.

CWE-6132021