GHSA-55P7-V223-X366
Vulnerability from github – Published: 2024-07-31 19:57 – Updated: 2024-07-31 19:57
VLAI
Summary
IdentityServer Open Redirect vulnerability
Details
Impact
It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site.
Affected Methods
- In the
DefaultIdentityServerInteractionService, theGetAuthorizationContextAsyncmethod may return non-null and theIsValidReturnUrlmethod may return true for malicious Urls, indicating incorrectly that they can be safely redirected to.
UI code calling these two methods is the most commonly used code path that will expose the vulnerability. The default UI templates rely on this behavior in the Login, Challenge, and Consent pages. Customized user interface code might also rely on this behavior. The following uncommonly used APIs are also vulnerable:
- The
ServerUrlExtensions.GetIdentityServerRelativeUrl,ReturnUrlParser.ParseAsyncandOidcReturnUrlParser.ParseAsyncmethods may incorrectly return non-null, and theReturnUrlParser.IsValidReturnUrlandOidcReturnUrlParser.IsValidReturnUrlmethods may incorrectly return true for malicious Urls.
Patches
IdentityServer4 is no longer supported and will not be receiving updates. Please consider updating to Duende.IdentityServer.
Severity
4.7 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "IdentityServer4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-31T19:57:33Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nIt is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site.\n\n### Affected Methods\n- In the `DefaultIdentityServerInteractionService`, the `GetAuthorizationContextAsync` method may return non-null and the `IsValidReturnUrl` method may return true for malicious Urls, indicating incorrectly that they can be safely redirected to.\n\n _UI code calling these two methods is the most commonly used code path that will expose the vulnerability. The default UI templates rely on this behavior in the Login, Challenge, and Consent pages. Customized user interface code might also rely on this behavior. The following uncommonly used APIs are also vulnerable:_\n\n- The `ServerUrlExtensions.GetIdentityServerRelativeUrl`, `ReturnUrlParser.ParseAsync` and `OidcReturnUrlParser.ParseAsync` methods may incorrectly return non-null, and the `ReturnUrlParser.IsValidReturnUrl` and `OidcReturnUrlParser.IsValidReturnUrl` methods may incorrectly return true for malicious Urls.\n\n### Patches\nIdentityServer4 is no longer supported and will not be receiving updates. Please consider updating to [Duende.IdentityServer](https://duendesoftware.com).\n",
"id": "GHSA-55p7-v223-x366",
"modified": "2024-07-31T19:57:33Z",
"published": "2024-07-31T19:57:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-ff4q-64jc-gx98"
},
{
"type": "WEB",
"url": "https://github.com/IdentityServer/IdentityServer4/security/advisories/GHSA-55p7-v223-x366"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39694"
},
{
"type": "PACKAGE",
"url": "https://github.com/IdentityServer/IdentityServer4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "IdentityServer Open Redirect vulnerability"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…