CVE-2023-36820

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-36820
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36820.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-36820
Aliases
Published
2023-10-09T14:15:10Z
Modified
2024-05-30T04:08:04.464454Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.

References

Affected packages

Git / github.com/micronaut-projects/micronaut-security

Affected ranges

Type
GIT
Repo
https://github.com/micronaut-projects/micronaut-security
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v1.*

v1.1.1
v1.2.0
v1.2.0.RC1
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.0.RC1
v1.3.1
v1.3.2
v1.4.0

v2.*

v2.0.0
v2.0.0.M1
v2.0.0.M2
v2.0.0.M3
v2.0.0.RC1
v2.0.1
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.5.0

v3.*

v3.0.0
v3.0.0-M1
v3.0.0-M2
v3.0.0-RC1
v3.0.1
v3.1.0
v3.1.1
v3.10.0
v3.11.0
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.6.5
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.9.0
v3.9.1
v3.9.2