Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for micronaut-security by micronaut-projects

    CVE-2023-36820 (GCVE-0-2023-36820)

    Vulnerability from nvd – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39
    VLAI
    Title
    micronaut security has invalid IdTokenClaimsValidator logic on aud
    Summary
    Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    micronaut-projects micronaut-security Affected: >= 3.11.0, < 3.11.1
    Affected: >= 3.10.0, < 3.10.2
    Affected: >= 3.9.0, < 3.9.6
    Affected: >= 3.8.0, < 3.8.4
    Affected: >= 3.7.0, < 3.7.4
    Affected: >= 3.6.0, < 3.6.6
    Affected: >= 3.5.0, < 3.5.3
    Affected: >= 3.4.0, < 3.4.3
    Affected: >= 3.3.0, < 3.3.2
    Affected: >= 3.2.0, < 3.2.4
    Affected: >= 3.1.0, < 3.1.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:01:09.850Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
              },
              {
                "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-36820",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T14:38:54.670086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T14:39:04.617Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "micronaut-security",
              "vendor": "micronaut-projects",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.11.0, \u003c 3.11.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.10.0, \u003c 3.10.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.9.0, \u003c 3.9.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.8.0, \u003c 3.8.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.7.0, \u003c 3.7.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.6.0, \u003c 3.6.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.5.0, \u003c 3.5.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.4.0, \u003c 3.4.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.3.0, \u003c 3.3.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.0, \u003c 3.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.1.0, \u003c 3.1.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-09T13:30:26.387Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
            },
            {
              "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
            }
          ],
          "source": {
            "advisory": "GHSA-qw22-8w9r-864h",
            "discovery": "UNKNOWN"
          },
          "title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-36820",
        "datePublished": "2023-10-09T13:30:26.387Z",
        "dateReserved": "2023-06-27T15:43:18.385Z",
        "dateUpdated": "2024-09-19T14:39:04.617Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-36820 (GCVE-0-2023-36820)

    Vulnerability from cvelistv5 – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39
    VLAI
    Title
    micronaut security has invalid IdTokenClaimsValidator logic on aud
    Summary
    Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    micronaut-projects micronaut-security Affected: >= 3.11.0, < 3.11.1
    Affected: >= 3.10.0, < 3.10.2
    Affected: >= 3.9.0, < 3.9.6
    Affected: >= 3.8.0, < 3.8.4
    Affected: >= 3.7.0, < 3.7.4
    Affected: >= 3.6.0, < 3.6.6
    Affected: >= 3.5.0, < 3.5.3
    Affected: >= 3.4.0, < 3.4.3
    Affected: >= 3.3.0, < 3.3.2
    Affected: >= 3.2.0, < 3.2.4
    Affected: >= 3.1.0, < 3.1.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:01:09.850Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
              },
              {
                "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-36820",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T14:38:54.670086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T14:39:04.617Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "micronaut-security",
              "vendor": "micronaut-projects",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.11.0, \u003c 3.11.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.10.0, \u003c 3.10.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.9.0, \u003c 3.9.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.8.0, \u003c 3.8.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.7.0, \u003c 3.7.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.6.0, \u003c 3.6.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.5.0, \u003c 3.5.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.4.0, \u003c 3.4.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.3.0, \u003c 3.3.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.0, \u003c 3.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.1.0, \u003c 3.1.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-09T13:30:26.387Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
            },
            {
              "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
            }
          ],
          "source": {
            "advisory": "GHSA-qw22-8w9r-864h",
            "discovery": "UNKNOWN"
          },
          "title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-36820",
        "datePublished": "2023-10-09T13:30:26.387Z",
        "dateReserved": "2023-06-27T15:43:18.385Z",
        "dateUpdated": "2024-09-19T14:39:04.617Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }