CVE-2024-21643 – microsoft.identitymodel.protocols.signedhttprequest

Package

Manager: nuget
Name: microsoft.identitymodel.protocols.signedhttprequest
Vulnerable Version: >=0 <6.34.0 || >=7.0.0-preview <7.1.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0063 pctl0.69379

Details

Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability ### Impact _What kind of vulnerability is it? Who is impacted?_ Anyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValidator`is vulnerable. Microsoft.IdentityModel trusts the `jku`claim by default for the `SignedHttpRequest`protocol. This raises the possibility to make any remote or local `HTTP GET` request. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users **should** update **all** their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No, users must upgrade. ### References _Are there any links users can visit to find out more?_ https://aka.ms/IdentityModel/Jan2024/jku

Metadata

Created: 2024-01-09T18:25:47Z
Modified: 2024-01-10T15:13:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-rv9j-c866-gp5h/GHSA-rv9j-c866-gp5h.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-rv9j-c866-gp5h
Finding: F416
Auto approve: 1