Elytron OAuth2IntrospectValidator is vulnerable to Uncontrolled Resource Consumption
Issue
According to sonatype-2021-0864 Wildfly Elytron is vulnerable to Uncontrolled Resource Consumption.
The openConnection
method in OAuth2IntrospectValidator.class
does not allow for setting a connection or read timeout for introspection of the token. An attacker can exploit this by attempting to perpetually make a connection, tying up server resources and resulting in a Denial of Service (DoS) condition.
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.4.0 GA
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.