GHSA-8g9c-28fc-mcx2 – microsoft.identitymodel.jsonwebtokens

Package

Manager: nuget
Name: microsoft.identitymodel.jsonwebtokens
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate Advisory: Microsoft Identity Denial of service vulnerability ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-59j7-ghrg-fj52. This link is maintained to preserve external references. ### Original Description ### Impact An attacker could exploit this vulnerability by crafting a malicious JSON Web Encryption (JWE) token with a high compression ratio. This token, when processed by a server, leads to excessive memory allocation and processing time during decompression, causing a denial-of-service (DoS) condition. It's important to note that the attacker must have access to the public encrypt key registered with the IDP(Entra ID) for successful exploitation. _According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?_ A scope change (S:C) in the CVSS metric indicates that successful exploitation of this vulnerability could extend beyond the immediate processing of malicious tokens, affecting the overall availability of the system by causing a denial-of-service (DoS) condition. ### Patches The vulnerability has been fixed. Users should update **all** their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, and 5.7.0 (for 5x). ### Workarounds No, users must upgrade. ### References https://aka.ms/IdentityModel/Jan2024/zip

Metadata

Created: 2024-01-09T18:28:03Z
Modified: 2024-04-15T19:42:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8g9c-28fc-mcx2/GHSA-8g9c-28fc-mcx2.json
CWE IDs: ["CWE-20"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0