Vulnerability-Lookup

CVE-2023-36820 (GCVE-0-2023-36820)

Vulnerability from cvelistv5 – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39

Title

micronaut security has invalid IdTokenClaimsValidator logic on aud

Summary

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-284 - Improper Access Control

Assigner

GitHub_M

References

URL

Tags

	https://github.com/micronaut-projects/micronaut-s…	x_refsource_CONFIRM
	https://github.com/micronaut-projects/micronaut-s…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	micronaut-projects	micronaut-security	Affected: >= 3.11.0, < 3.11.1 Affected: >= 3.10.0, < 3.10.2 Affected: >= 3.9.0, < 3.9.6 Affected: >= 3.8.0, < 3.8.4 Affected: >= 3.7.0, < 3.7.4 Affected: >= 3.6.0, < 3.6.6 Affected: >= 3.5.0, < 3.5.3 Affected: >= 3.4.0, < 3.4.3 Affected: >= 3.3.0, < 3.3.2 Affected: >= 3.2.0, < 3.2.4 Affected: >= 3.1.0, < 3.1.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:01:09.850Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
          },
          {
            "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-36820",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-19T14:38:54.670086Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-19T14:39:04.617Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "micronaut-security",
          "vendor": "micronaut-projects",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.11.0, \u003c 3.11.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.10.0, \u003c 3.10.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.9.0, \u003c 3.9.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.8.0, \u003c 3.8.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.7.0, \u003c 3.7.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.6.0, \u003c 3.6.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.5.0, \u003c 3.5.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.4.0, \u003c 3.4.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.3.0, \u003c 3.3.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.2.0, \u003c 3.2.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-09T13:30:26.387Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
        },
        {
          "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
        }
      ],
      "source": {
        "advisory": "GHSA-qw22-8w9r-864h",
        "discovery": "UNKNOWN"
      },
      "title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-36820",
    "datePublished": "2023-10-09T13:30:26.387Z",
    "dateReserved": "2023-06-27T15:43:18.385Z",
    "dateUpdated": "2024-09-19T14:39:04.617Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-36820\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-09T14:15:10.640\",\"lastModified\":\"2024-11-21T08:10:40.067\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\\n\"},{\"lang\":\"es\",\"value\":\"Micronaut Security es una soluci\u00f3n de seguridad para aplicaciones. Antes de las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11.1, IdTokenClaimsValidator omite Validaci\u00f3n de reclamo `aud` si el token es emitido por el mismo emisor/proveedor de identidad. Cualquier configuraci\u00f3n de OIDC que utilice Micronaut en la que existan varias aplicaciones OIDC para el mismo emisor, pero la autenticaci\u00f3n de token no debe compartirse. Este problema se solucion\u00f3 en las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11. 1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.1.2\",\"matchCriteriaId\":\"670F1AC9-632E-4D47-9492-9BAC0084BE0E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.2.0\",\"versionEndExcluding\":\"3.2.4\",\"matchCriteriaId\":\"813AFD3C-E241-4376-AAF7-C4B276055121\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.3.0\",\"versionEndExcluding\":\"3.3.2\",\"matchCriteriaId\":\"9626C2B1-79E6-4908-9ADF-E520DFC3402C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.4.0\",\"versionEndExcluding\":\"3.4.3\",\"matchCriteriaId\":\"FBCDEED9-3639-4D90-9808-F27F9E2FB02B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.5.0\",\"versionEndExcluding\":\"3.5.3\",\"matchCriteriaId\":\"FDC29054-500C-4B79-BDD5-B48D989D02E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.6.0\",\"versionEndExcluding\":\"3.6.6\",\"matchCriteriaId\":\"EA9D354C-1D89-4B68-AF7C-D712F0A1A8AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.7.0\",\"versionEndExcluding\":\"3.7.4\",\"matchCriteriaId\":\"9AE52168-0CAF-4BF7-B88B-AF79149F6919\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.8.0\",\"versionEndExcluding\":\"3.8.4\",\"matchCriteriaId\":\"71B1B0A7-CCA3-4199-BC32-37C1138C6BF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.9.0\",\"versionEndExcluding\":\"3.9.6\",\"matchCriteriaId\":\"AA7B0DE4-ACD6-47AC-8059-9D9B97876B68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.10.0\",\"versionEndExcluding\":\"3.10.2\",\"matchCriteriaId\":\"4476038E-A854-4946-9CBF-42E2253B17D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"15398E49-FF87-4B88-B9B3-B326709E26AD\"}]}]}],\"references\":[{\"url\":\"https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h\", \"name\": \"https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980\", \"name\": \"https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T17:01:09.850Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-36820\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-19T14:38:54.670086Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-19T14:38:59.886Z\"}}], \"cna\": {\"title\": \"micronaut security has invalid IdTokenClaimsValidator logic on aud\", \"source\": {\"advisory\": \"GHSA-qw22-8w9r-864h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"micronaut-projects\", \"product\": \"micronaut-security\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.11.0, \u003c 3.11.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.10.0, \u003c 3.10.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.9.0, \u003c 3.9.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.8.0, \u003c 3.8.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.7.0, \u003c 3.7.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.6.0, \u003c 3.6.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.5.0, \u003c 3.5.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.4.0, \u003c 3.4.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.3.0, \u003c 3.3.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.2.0, \u003c 3.2.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.1.0, \u003c 3.1.2\"}]}], \"references\": [{\"url\": \"https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h\", \"name\": \"https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980\", \"name\": \"https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-10-09T13:30:26.387Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-36820\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-19T14:39:04.617Z\", \"dateReserved\": \"2023-06-27T15:43:18.385Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-10-09T13:30:26.387Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2023-36820

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-36820

Aliases

CVE-2023-36820

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-36820",
    "id": "GSD-2023-36820"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-36820"
      ],
      "details": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n",
      "id": "GSD-2023-36820",
      "modified": "2023-12-13T01:20:34.420142Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-36820",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "micronaut-security",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.11.0, \u003c 3.11.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.10.0, \u003c 3.10.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.9.0, \u003c 3.9.6"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.8.0, \u003c 3.8.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.7.0, \u003c 3.7.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.6.0, \u003c 3.6.6"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.5.0, \u003c 3.5.3"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.4.0, \u003c 3.4.3"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.3.0, \u003c 3.3.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.2.0, \u003c 3.2.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.1.0, \u003c 3.1.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "micronaut-projects"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-284",
                "lang": "eng",
                "value": "CWE-284: Improper Access Control"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
            "refsource": "MISC",
            "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
          },
          {
            "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
            "refsource": "MISC",
            "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qw22-8w9r-864h",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.10.2",
                "versionStartIncluding": "3.10.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.9.6",
                "versionStartIncluding": "3.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.8.4",
                "versionStartIncluding": "3.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.7.4",
                "versionStartIncluding": "3.7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.6.6",
                "versionStartIncluding": "3.6.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.5.3",
                "versionStartIncluding": "3.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.4.3",
                "versionStartIncluding": "3.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.3.2",
                "versionStartIncluding": "3.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.2.4",
                "versionStartIncluding": "3.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.1.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-36820"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
            },
            {
              "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2023-10-13T16:35Z",
      "publishedDate": "2023-10-09T14:15Z"
    }
  }
}

GHSA-QW22-8W9R-864H

Vulnerability from github – Published: 2023-10-05 20:55 – Updated: 2023-10-13 22:11

Summary

io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud

Details

Summary

IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider.

Details

See https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202

This logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.

Workaround exists by setting micronaut.security.token.jwt.claims-validators.audience with valid values. micronaut.security.token.jwt.claims-validators.openid-idtoken can be kept as default on.

PoC

Should probably be:

                return issuer.equalsIgnoreCase(iss) &&
                        audiences.contains(clientId) &&
                                validateAzp(claims, clientId, audiences);

Impact

Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.

Mitigation

Please upgrade to a patched micronaut-security-oauth2 release as soon as possible.

If you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of IdTokenClaimsValidatorReplacement

```java package cve;

import io.micronaut.context.annotation.Replaces; import io.micronaut.context.annotation.Requires; import io.micronaut.core.annotation.NonNull; import io.micronaut.core.util.StringUtils; import io.micronaut.security.config.SecurityConfigurationProperties; import io.micronaut.security.oauth2.client.IdTokenClaimsValidator; import io.micronaut.security.oauth2.configuration.OauthClientConfiguration; import io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration; import io.micronaut.security.token.jwt.generator.claims.JwtClaims; import io.micronaut.security.token.jwt.validator.JwtClaimsValidatorConfigurationProperties;

import javax.inject.Singleton; import java.net.URL; import java.util.Collection; import java.util.List; import java.util.Optional;

@Requires(property = SecurityConfigurationProperties.PREFIX + ".authentication", value = "idtoken") @Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + ".openid-idtoken", notEquals = StringUtils.FALSE) @Singleton @Replaces(IdTokenClaimsValidator.class) public class IdTokenClaimsValidatorReplacement extends IdTokenClaimsValidator { public IdTokenClaimsValidatorReplacement(Collection oauthClientConfigurations) { super(oauthClientConfigurations); }

@Override
protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims,
                                               @NonNull String iss,
                                               @NonNull List<String> audiences,
                                               @NonNull String clientId,
                                               @NonNull OpenIdClientConfiguration openIdClientConfiguration) {
    if (openIdClientConfiguration.getIssuer().isPresent()) {
        Optional<URL> issuerOptional = openIdClientConfiguration.getIssuer();
        if (issuerOptional.isPresent()) {
            String issuer = issuerOptional.get().toString();
            return issuer.equalsIgnoreCase(iss) &&
                    audiences.contains(clientId) &&
                            validateAzp(claims, clientId, audiences);
        }
    }
    return false;
}

} ``

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.11.0"
            },
            {
              "fixed": "3.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0"
            },
            {
              "fixed": "3.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.6.0"
            },
            {
              "fixed": "3.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "3.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-05T20:55:14Z",
    "nvd_published_at": "2023-10-09T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nIdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider.\n\n### Details\n\nSee https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202\n\nThis logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. \n\nWorkaround exists by setting `micronaut.security.token.jwt.claims-validators.audience` with valid values. \n `micronaut.security.token.jwt.claims-validators.openid-idtoken` can be kept as default on.\n\n### PoC\n\nShould probably be:\n\n```java\n                return issuer.equalsIgnoreCase(iss) \u0026\u0026\n                        audiences.contains(clientId) \u0026\u0026\n                                validateAzp(claims, clientId, audiences);\n```\n\n### Impact\n\nAny OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.\n\n\n### Mitigation\n\nPlease upgrade to a patched `micronaut-security-oauth2` release as soon as possible.  \n\nIf you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of `IdTokenClaimsValidatorReplacement`\n\n```java\npackage cve;\n\nimport io.micronaut.context.annotation.Replaces;\nimport io.micronaut.context.annotation.Requires;\nimport io.micronaut.core.annotation.NonNull;\nimport io.micronaut.core.util.StringUtils;\nimport io.micronaut.security.config.SecurityConfigurationProperties;\nimport io.micronaut.security.oauth2.client.IdTokenClaimsValidator;\nimport io.micronaut.security.oauth2.configuration.OauthClientConfiguration;\nimport io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration;\nimport io.micronaut.security.token.jwt.generator.claims.JwtClaims;\nimport io.micronaut.security.token.jwt.validator.JwtClaimsValidatorConfigurationProperties;\n\nimport javax.inject.Singleton;\nimport java.net.URL;\nimport java.util.Collection;\nimport java.util.List;\nimport java.util.Optional;\n\n@Requires(property = SecurityConfigurationProperties.PREFIX + \".authentication\", value = \"idtoken\")\n@Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + \".openid-idtoken\", notEquals = StringUtils.FALSE)\n@Singleton\n@Replaces(IdTokenClaimsValidator.class)\npublic class IdTokenClaimsValidatorReplacement extends IdTokenClaimsValidator {\n    public IdTokenClaimsValidatorReplacement(Collection\u003cOauthClientConfiguration\u003e oauthClientConfigurations) {\n        super(oauthClientConfigurations);\n    }\n\n    @Override\n    protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims,\n                                                   @NonNull String iss,\n                                                   @NonNull List\u003cString\u003e audiences,\n                                                   @NonNull String clientId,\n                                                   @NonNull OpenIdClientConfiguration openIdClientConfiguration) {\n        if (openIdClientConfiguration.getIssuer().isPresent()) {\n            Optional\u003cURL\u003e issuerOptional = openIdClientConfiguration.getIssuer();\n            if (issuerOptional.isPresent()) {\n                String issuer = issuerOptional.get().toString();\n                return issuer.equalsIgnoreCase(iss) \u0026\u0026\n                        audiences.contains(clientId) \u0026\u0026\n                                validateAzp(claims, clientId, audiences);\n            }\n        }\n        return false;\n    }\n}\n``",
  "id": "GHSA-qw22-8w9r-864h",
  "modified": "2023-10-13T22:11:53Z",
  "published": "2023-10-05T20:55:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micronaut-projects/micronaut-security"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud"
}

FKIE_CVE-2023-36820

Vulnerability from fkie_nvd - Published: 2023-10-09 14:15 - Updated: 2024-11-21 08:10

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980	Patch
security-advisories@github.com	https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h	Exploit, Mitigation, Third Party Advisory

Impacted products

Vendor	Product	Version
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	*
objectcomputing	micronaut_security	3.11.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "670F1AC9-632E-4D47-9492-9BAC0084BE0E",
              "versionEndExcluding": "3.1.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "813AFD3C-E241-4376-AAF7-C4B276055121",
              "versionEndExcluding": "3.2.4",
              "versionStartIncluding": "3.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9626C2B1-79E6-4908-9ADF-E520DFC3402C",
              "versionEndExcluding": "3.3.2",
              "versionStartIncluding": "3.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FBCDEED9-3639-4D90-9808-F27F9E2FB02B",
              "versionEndExcluding": "3.4.3",
              "versionStartIncluding": "3.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDC29054-500C-4B79-BDD5-B48D989D02E9",
              "versionEndExcluding": "3.5.3",
              "versionStartIncluding": "3.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA9D354C-1D89-4B68-AF7C-D712F0A1A8AD",
              "versionEndExcluding": "3.6.6",
              "versionStartIncluding": "3.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9AE52168-0CAF-4BF7-B88B-AF79149F6919",
              "versionEndExcluding": "3.7.4",
              "versionStartIncluding": "3.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "71B1B0A7-CCA3-4199-BC32-37C1138C6BF5",
              "versionEndExcluding": "3.8.4",
              "versionStartIncluding": "3.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA7B0DE4-ACD6-47AC-8059-9D9B97876B68",
              "versionEndExcluding": "3.9.6",
              "versionStartIncluding": "3.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4476038E-A854-4946-9CBF-42E2253B17D9",
              "versionEndExcluding": "3.10.2",
              "versionStartIncluding": "3.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "15398E49-FF87-4B88-B9B3-B326709E26AD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
    },
    {
      "lang": "es",
      "value": "Micronaut Security es una soluci\u00f3n de seguridad para aplicaciones. Antes de las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11.1, IdTokenClaimsValidator omite Validaci\u00f3n de reclamo `aud` si el token es emitido por el mismo emisor/proveedor de identidad. Cualquier configuraci\u00f3n de OIDC que utilice Micronaut en la que existan varias aplicaciones OIDC para el mismo emisor, pero la autenticaci\u00f3n de token no debe compartirse. Este problema se solucion\u00f3 en las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11. 1."
    }
  ],
  "id": "CVE-2023-36820",
  "lastModified": "2024-11-21T08:10:40.067",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-09T14:15:10.640",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-36820 (GCVE-0-2023-36820)

GSD-2023-36820

GHSA-QW22-8W9R-864H

Summary

Details

PoC

Impact

Mitigation

FKIE_CVE-2023-36820

Tags

Sightings

Nomenclature