CVE-2020-15223

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0

In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0

Due to improper error handling, an error with the underlying token storage may cause a user to believe a token has been successfully revoked when it is in fact still valid. An attackers ability to exploit this relies on an ability to trigger errors in the underlying storage.

### Impact The `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. ### References [RFC 7009](https://tools.ietf.org/html/rfc7009#section-2.2.1) states that a 503 HTTP code must be returned when the server has a problem.

En ORY Fosite (el primer framework de seguridad OAuth2 & OpenID Connect para Go) anterior a la versión 0.34.0, el "TokenRevocationHandler" ignora los errores provenientes del almacenamiento. Esto puede conllevar a 200 códigos de estado no previstos que indican una revocación exitosa mientras el token aún es válido. Si un atacante puede usar esto para su favor depende de la capacidad de desencadenar errores en la tienda. Esto se corrigió en la versión 0.34.0