Micronaut · Micronaut Security · CVE-2023-36820
**Name of the Vulnerable Software and Affected Versions**
Micronaut Security versions prior to 3.1.2
Micronaut Security versions prior to 3.2.4
Micronaut Security versions prior to 3.3.2
Micronaut Security versions prior to 3.4.3
Micronaut Security versions prior to 3.5.3
Micronaut Security versions prior to 3.6.6
Micronaut Security versions prior to 3.7.4
Micronaut Security versions prior to 3.8.4
Micronaut Security versions prior to 3.9.6
Micronaut Security versions prior to 3.10.2
Micronaut Security versions prior to 3.11.1
**Description**
IdTokenClaimsValidator skips `aud` claim validation if token is issued by the same identity issuer/provider. This issue affects any OIDC setup using Micronaut where multiple OIDC applications exist for the same issuer but token auth are not meant to be shared.
**Recommendations**
For versions prior to 3.1.2, upgrade to version 3.1.2 or later.
For versions prior to 3.2.4, upgrade to version 3.2.4 or later.
For versions prior to 3.3.2, upgrade to version 3.3.2 or later.
For versions prior to 3.4.3, upgrade to version 3.4.3 or later.
For versions prior to 3.5.3, upgrade to version 3.5.3 or later.
For versions prior to 3.6.6, upgrade to version 3.6.6 or later.
For versions prior to 3.7.4, upgrade to version 3.7.4 or later.
For versions prior to 3.8.4, upgrade to version 3.8.4 or later.
For versions prior to 3.9.6, upgrade to version 3.9.6 or later.
For versions prior to 3.10.2, upgrade to version 3.10.2 or later.
For versions prior to 3.11.1, upgrade to version 3.11.1 or later.
As a temporary workaround, consider setting `micronaut.security.token.jwt.claims-validators.audience` with valid values.
If you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of `IdTokenClaimsValidatorReplacement`.