GHSA-qw22-8w9r-864h

Source

https://github.com/advisories/GHSA-qw22-8w9r-864h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qw22-8w9r-864h/GHSA-qw22-8w9r-864h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qw22-8w9r-864h

Aliases

CVE-2023-36820

Published

2023-10-05T20:55:14Z

Modified

2024-02-16T08:02:17.626198Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud

Details

Summary

IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider.

Details

See https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202

This logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.

Workaround exists by setting micronaut.security.token.jwt.claims-validators.audience with valid values. micronaut.security.token.jwt.claims-validators.openid-idtoken can be kept as default on.

PoC

Should probably be:

                return issuer.equalsIgnoreCase(iss) &&
                        audiences.contains(clientId) &&
                                validateAzp(claims, clientId, audiences);

Impact

Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.

Mitigation

Please upgrade to a patched micronaut-security-oauth2 release as soon as possible.

If you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of IdTokenClaimsValidatorReplacement

```java package cve;

import io.micronaut.context.annotation.Replaces; import io.micronaut.context.annotation.Requires; import io.micronaut.core.annotation.NonNull; import io.micronaut.core.util.StringUtils; import io.micronaut.security.config.SecurityConfigurationProperties; import io.micronaut.security.oauth2.client.IdTokenClaimsValidator; import io.micronaut.security.oauth2.configuration.OauthClientConfiguration; import io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration; import io.micronaut.security.token.jwt.generator.claims.JwtClaims; import io.micronaut.security.token.jwt.validator.JwtClaimsValidatorConfigurationProperties;

import javax.inject.Singleton; import java.net.URL; import java.util.Collection; import java.util.List; import java.util.Optional;

@Requires(property = SecurityConfigurationProperties.PREFIX + ".authentication", value = "idtoken") @Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + ".openid-idtoken", notEquals = StringUtils.FALSE) @Singleton @Replaces(IdTokenClaimsValidator.class) public class IdTokenClaimsValidatorReplacement extends IdTokenClaimsValidator { public IdTokenClaimsValidatorReplacement(Collection<OauthClientConfiguration> oauthClientConfigurations) { super(oauthClientConfigurations); }

@Override
protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims,
                                               @NonNull String iss,
                                               @NonNull List<String> audiences,
                                               @NonNull String clientId,
                                               @NonNull OpenIdClientConfiguration openIdClientConfiguration) {
    if (openIdClientConfiguration.getIssuer().isPresent()) {
        Optional<URL> issuerOptional = openIdClientConfiguration.getIssuer();
        if (issuerOptional.isPresent()) {
            String issuer = issuerOptional.get().toString();
            return issuer.equalsIgnoreCase(iss) &&
                    audiences.contains(clientId) &&
                            validateAzp(claims, clientId, audiences);
        }
    }
    return false;
}

} ``

Database specific

{
    "nvd_published_at": "2023-10-09T14:15:10Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-05T20:55:14Z"
}

References

Affected packages

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.11.0

Fixed

3.11.1

Affected versions

3.*

3.11.0

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.10.0

Fixed

3.10.2

Affected versions

3.*

3.10.0

3.10.1

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.9.0

Fixed

3.9.6

Affected versions

3.*

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.8.0

Fixed

3.8.4

Affected versions

3.*

3.8.0

3.8.1

3.8.2

3.8.3

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.7.0

Fixed

3.7.4

Affected versions

3.*

3.7.0

3.7.1

3.7.2

3.7.3

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.6.0

Fixed

3.6.6

Affected versions

3.*

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.5.0

Fixed

3.5.3

Affected versions

3.*

3.5.0

3.5.1

3.5.2

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Fixed

3.4.3

Affected versions

3.*

3.4.0

3.4.1

3.4.2

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.3.2

Affected versions

3.*

3.3.0

3.3.1

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.4

Affected versions

3.*

3.2.0

3.2.1

3.2.2

3.2.3

Maven / io.micronaut.security:micronaut-security-oauth2

Package

Name: io.micronaut.security:micronaut-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/io.micronaut.security/micronaut-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.2

Affected versions

3.*

3.1.0

3.1.1