GHSA-RV9J-C866-GP5H

Vulnerability from github – Published: 2024-01-09 18:25 – Updated: 2024-01-10 15:13
VLAI?
Summary
Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability
Details

Impact

What kind of vulnerability is it? Who is impacted? Anyone leveraging the SignedHttpRequestprotocol or the SignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts the jkuclaim by default for the SignedHttpRequestprotocol. This raises the possibility to make any remote or local HTTP GET request.

Patches

Has the problem been patched? What versions should users upgrade to? The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? No, users must upgrade.

References

Are there any links users can visit to find out more? https://aka.ms/IdentityModel/Jan2024/jku

Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.IdentityModel.Protocols.SignedHttpRequest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.34.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.IdentityModel.Protocols.SignedHttpRequest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0-preview"
            },
            {
              "fixed": "7.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T18:25:47Z",
    "nvd_published_at": "2024-01-10T05:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nAnyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValidator`is vulnerable. Microsoft.IdentityModel trusts the `jku`claim by default for the `SignedHttpRequest`protocol. This raises the possibility to make any remote or local `HTTP GET` request. \n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nThe vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users **should** update **all** their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nNo, users must upgrade.\n\n### References\n_Are there any links users can visit to find out more?_\nhttps://aka.ms/IdentityModel/Jan2024/jku",
  "id": "GHSA-rv9j-c866-gp5h",
  "modified": "2024-01-10T15:13:42Z",
  "published": "2024-01-09T18:25:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-rv9j-c866-gp5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21643"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/jkucve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.