GHSA-rv9j-c866-gp5h

Source

https://github.com/advisories/GHSA-rv9j-c866-gp5h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-rv9j-c866-gp5h/GHSA-rv9j-c866-gp5h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rv9j-c866-gp5h

Aliases

CVE-2024-21643

Published

2024-01-09T18:25:47Z

Modified

2024-02-16T08:19:00.574227Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Summary

Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability

Details

Impact

What kind of vulnerability is it? Who is impacted? Anyone leveraging the SignedHttpRequestprotocol or the SignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts the jkuclaim by default for the SignedHttpRequestprotocol. This raises the possibility to make any remote or local HTTP GET request.

Patches

Has the problem been patched? What versions should users upgrade to? The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? No, users must upgrade.

References

Are there any links users can visit to find out more? https://aka.ms/IdentityModel/Jan2024/jku

Database specific

{
    "nvd_published_at": "2024-01-10T05:15:09Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T18:25:47Z"
}

References

Affected packages

NuGet / Microsoft.IdentityModel.Protocols.SignedHttpRequest

Package

Name: Microsoft.IdentityModel.Protocols.SignedHttpRequest; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.IdentityModel.Protocols.SignedHttpRequest

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.34.0

Affected versions

6.*

6.5.0

6.5.1

6.6.0

6.7.0

6.7.1

6.7.2-preview-10803222715

6.8.0

6.9.0

6.10.0

6.10.1

6.10.2

6.11.0

6.11.1

6.12.0

6.12.1

6.12.2

6.13.0

6.13.1

6.14.0

6.14.1

6.15.0

6.15.1

6.16.0

6.17.0

6.18.0

6.19.0

6.20.0

6.21.0

6.22.0

6.22.1

6.23.0

6.23.1

6.24.0

6.25.0

6.25.1

6.26.0

6.26.1

6.27.0

6.28.0

6.28.1

6.29.0

6.30.0

6.30.1

6.31.0

6.32.0

6.32.1

6.32.2

6.32.3

6.33.0

NuGet / Microsoft.IdentityModel.Protocols.SignedHttpRequest

Package

Name: Microsoft.IdentityModel.Protocols.SignedHttpRequest; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.IdentityModel.Protocols.SignedHttpRequest

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0-preview

Fixed

7.1.2

Affected versions

7.*

7.0.0-preview

7.0.0-preview2

7.0.0-preview3

7.0.0-preview4

7.0.0-preview5

7.0.0

7.0.1

7.0.2

7.0.3

7.1.0-preview