जमा करें #857897: django-oauth django-oauth-toolkit 3.3.0 at commit ddec25b491e52d7f4a1e2cf13a436ffddcf6c782 CWE-613 Insufficient Session Expirationजानकारी

शीर्षकdjango-oauth django-oauth-toolkit 3.3.0 at commit ddec25b491e52d7f4a1e2cf13a436ffddcf6c782 CWE-613 Insufficient Session Expiration
विवरणdjango-oauth-toolkit 3.3.0 defaults REFRESH_TOKEN_EXPIRE_SECONDS to None. Refresh token validation in oauth2_provider.oauth2_validators checks token existence, revocation grace, and application/client ownership, but it does not enforce an absolute token age limit. The cleanup path in oauth2_provider.models also deletes old refresh tokens only when REFRESH_TOKEN_EXPIRE_SECONDS is configured. This issue is conditional because deployments can override the setting and long-lived refresh tokens may be an explicit policy choice. However, in default deployments, an attacker who obtains a valid non-revoked refresh token can continue exchanging it for access tokens without an absolute expiry boundary. Remediation should set or strongly encourage a finite refresh token lifetime, document the risk of REFRESH_TOKEN_EXPIRE_SECONDS=None, and provide migration guidance for applications that intentionally require long-lived refresh tokens.
स्रोत⚠️ https://github.com/django-oauth/django-oauth-toolkit/issues/1715
उपयोगकर्ता
 Galaxyn (UID 98388)
सबमिशन13/06/2026 12:54 PM (1 महीना पहले)
संयम18/07/2026 10:23 AM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि380022 [django-oauth django-oauth-toolkit 3.3.0 oauth2_validators.py _load_id_token कमजोर प्रमाणीकरण]
अंक20

Do you know our Splunk app?

Download it now for free!