Описание
Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability
Impact
What kind of vulnerability is it? Who is impacted?
Anyone leveraging the SignedHttpRequestprotocol or the SignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts the jkuclaim by default for the SignedHttpRequestprotocol. This raises the possibility to make any remote or local HTTP GET request.
Patches
Has the problem been patched? What versions should users upgrade to? The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? No, users must upgrade.
References
Are there any links users can visit to find out more? https://aka.ms/IdentityModel/Jan2024/jku
Ссылки
- https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-rv9j-c866-gp5h
- https://nvd.nist.gov/vuln/detail/CVE-2024-21643
- https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0
- https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2
- https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/jkucve
Пакеты
Microsoft.IdentityModel.Protocols.SignedHttpRequest
< 6.34.0
6.34.0
Microsoft.IdentityModel.Protocols.SignedHttpRequest
>= 7.0.0-preview, < 7.1.2
7.1.2
Связанные уязвимости
IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Anyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValidator`is vulnerable. Microsoft.IdentityModel trusts the `jku`claim by default for the `SignedHttpRequest`protocol. This raises the possibility to make any remote or local `HTTP GET` request. The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher.