CVE-2024-51987

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-51987
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51987.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-51987
Aliases
Published
2024-11-07T23:36:16.989Z
Modified
2025-12-05T07:18:49.769364Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
HTTP Client uses incorrect token after refresh in Duende.AccessTokenManagement.OpenIdConnect
Details

Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled HttpClient instances, which may be used by a different user. Instead of using AddUserAccessTokenHttpClient to create an HttpClient that automatically adds a managed token to outgoing requests, you can use the HttpConext.GetUserAccessTokenAsync extension method or the IUserTokenManagementService.GetAccessTokenAsync method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51987.json",
    "cwe_ids": [
        "CWE-270"
    ]
}
References

Affected packages

Git / github.com/duendesoftware/duende.accesstokenmanagement

Affected ranges

Type
GIT
Repo
https://github.com/duendesoftware/duende.accesstokenmanagement
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b0f2ac089375cecaf7c2f3f83bb52af6ded0e54a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 3.0.0"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.0-preview.1
1.0.0-preview.2
1.0.0-preview.3
1.0.0-preview.4
1.0.0-preview.5
1.1.0
2.*
2.0.0
2.0.0-preview.1
2.0.0-preview.1.1
2.0.0-preview.1.2
2.0.0-preview.1.3
2.0.1
2.0.2
2.0.3
2.1.0
2.1.0-preview.1
2.1.1
2.1.2
3.*
3.0.0
3.0.0-preview.1
3.0.0-preview.2
3.0.0-preview.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51987.json"