CVE-2023-36820

Name of the Vulnerable Software and Affected Versions Micronaut Security versions prior to 3.1.2 Micronaut Security versions prior to 3.2.4 Micronaut Security versions prior to 3.3.2 Micronaut Security versions prior to 3.4.3 Micronaut Security versions prior to 3.5.3 Micronaut Security versions prior to 3.6.6 Micronaut Security versions prior to 3.7.4 Micronaut Security versions prior to 3.8.4 Micronaut Security versions prior to 3.9.6 Micronaut Security versions prior to 3.10.2 Micronaut Security versions prior to 3.11.1

Description IdTokenClaimsValidator skips aud claim validation if token is issued by the same identity issuer/provider. This issue affects any OIDC setup using Micronaut where multiple OIDC applications exist for the same issuer but token auth are not meant to be shared.

Recommendations For versions prior to 3.1.2, upgrade to version 3.1.2 or later. For versions prior to 3.2.4, upgrade to version 3.2.4 or later. For versions prior to 3.3.2, upgrade to version 3.3.2 or later. For versions prior to 3.4.3, upgrade to version 3.4.3 or later. For versions prior to 3.5.3, upgrade to version 3.5.3 or later. For versions prior to 3.6.6, upgrade to version 3.6.6 or later. For versions prior to 3.7.4, upgrade to version 3.7.4 or later. For versions prior to 3.8.4, upgrade to version 3.8.4 or later. For versions prior to 3.9.6, upgrade to version 3.9.6 or later. For versions prior to 3.10.2, upgrade to version 3.10.2 or later. For versions prior to 3.11.1, upgrade to version 3.11.1 or later. As a temporary workaround, consider setting micronaut.security.token.jwt.claims-validators.audience with valid values. If you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of IdTokenClaimsValidatorReplacement.