CVE-2020-5300: 
NixOS vulnerability analysis and mitigation

CVE-2020-5300 is a vulnerability in Ory Hydra's implementation of OpenID Connect client authentication that was discovered and disclosed in April 2020. The vulnerability allowed potential replay attacks of private_key_jwt tokens due to insufficient validation of JWT ID (jti) claims. This affected Ory Hydra versions up to v1.3.2+oryOS.17 (GitHub Advisory).

The vulnerability stems from Hydra's failure to properly validate the uniqueness of the JWT ID (jti) claim when using the 'private_key_jwt' client authentication method. According to the OpenID specification, these tokens must only be used once, unless specific conditions for reuse are negotiated between parties. The vulnerability allowed the same client assertion JWT to be used multiple times to obtain different access tokens, contrary to the specification requirements (GitHub Advisory).

The vulnerability could allow an attacker who has intercepted a valid client assertion JWT to replay it multiple times to obtain additional valid access tokens. However, the impact was somewhat mitigated by two factors: the requirement for TLS (which protects against MITM attacks) and the JWT's built-in expiry time which limited the window of opportunity for replay attacks (GitHub Advisory).

The vulnerability was patched in version v1.4.0+oryOS.17 by implementing a blacklist for JTIs to prevent token reuse. Before applying the patch, two workarounds were available: 1) Disabling the use of private_key_jwt authentication method for clients, or 2) Using very short expiry times for the JWTs to minimize the replay window. The patch requires creating a new SQL table using 'hydra migrate sql' command (GitHub Release).