Search criteria
2 vulnerabilities found for micronaut_security by objectcomputing
CVE-2023-36820 (GCVE-0-2023-36820)
Vulnerability from nvd – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39
VLAI?
Title
micronaut security has invalid IdTokenClaimsValidator logic on aud
Summary
Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
Severity ?
4.8 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| micronaut-projects | micronaut-security |
Affected:
>= 3.11.0, < 3.11.1
Affected: >= 3.10.0, < 3.10.2 Affected: >= 3.9.0, < 3.9.6 Affected: >= 3.8.0, < 3.8.4 Affected: >= 3.7.0, < 3.7.4 Affected: >= 3.6.0, < 3.6.6 Affected: >= 3.5.0, < 3.5.3 Affected: >= 3.4.0, < 3.4.3 Affected: >= 3.3.0, < 3.3.2 Affected: >= 3.2.0, < 3.2.4 Affected: >= 3.1.0, < 3.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36820",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:38:54.670086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:39:04.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "micronaut-security",
"vendor": "micronaut-projects",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.11.1"
},
{
"status": "affected",
"version": "\u003e= 3.10.0, \u003c 3.10.2"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.6"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.4"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.4"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.6.6"
},
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T13:30:26.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"source": {
"advisory": "GHSA-qw22-8w9r-864h",
"discovery": "UNKNOWN"
},
"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36820",
"datePublished": "2023-10-09T13:30:26.387Z",
"dateReserved": "2023-06-27T15:43:18.385Z",
"dateUpdated": "2024-09-19T14:39:04.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36820 (GCVE-0-2023-36820)
Vulnerability from cvelistv5 – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39
VLAI?
Title
micronaut security has invalid IdTokenClaimsValidator logic on aud
Summary
Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
Severity ?
4.8 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| micronaut-projects | micronaut-security |
Affected:
>= 3.11.0, < 3.11.1
Affected: >= 3.10.0, < 3.10.2 Affected: >= 3.9.0, < 3.9.6 Affected: >= 3.8.0, < 3.8.4 Affected: >= 3.7.0, < 3.7.4 Affected: >= 3.6.0, < 3.6.6 Affected: >= 3.5.0, < 3.5.3 Affected: >= 3.4.0, < 3.4.3 Affected: >= 3.3.0, < 3.3.2 Affected: >= 3.2.0, < 3.2.4 Affected: >= 3.1.0, < 3.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36820",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:38:54.670086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:39:04.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "micronaut-security",
"vendor": "micronaut-projects",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.11.1"
},
{
"status": "affected",
"version": "\u003e= 3.10.0, \u003c 3.10.2"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.6"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.4"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.4"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.6.6"
},
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T13:30:26.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"source": {
"advisory": "GHSA-qw22-8w9r-864h",
"discovery": "UNKNOWN"
},
"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36820",
"datePublished": "2023-10-09T13:30:26.387Z",
"dateReserved": "2023-06-27T15:43:18.385Z",
"dateUpdated": "2024-09-19T14:39:04.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}