Josephdecock

Name of the Vulnerable Software and Affected Versions: Duende IdentityServer versions 7.0.0 through 7.0.7 Description: The local API authentication handler in Duende IdentityServer performs insufficient validation of the `cnf` claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local API endpoints even without possessing the private key for signing proof tokens. The issue only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. Recommendations: For Duende IdentityServer versions 7.0.0 through 7.0.7, update to version 7.0.8 to resolve the issue. As a temporary workaround, consider disabling the use of DPoP for local APIs by configuring the TokenMode option to LocalApiTokenMode.BearerOnly, until a patch is applied. Restrict access to custom endpoints that use the LocalApiAuthenticationHandler to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Duende IdentityServer versions 5.1 and earlier Duende IdentityServer versions 6.0 through 6.0.4 Duende IdentityServer versions 6.1 through 6.1.7 Duende IdentityServer versions 6.2 through 6.2.4 Duende IdentityServer versions 6.3 through 6.3.9 Duende IdentityServer versions 7.0 through 7.0.5 All versions of IdentityServer4 **Description** It is possible for an attacker to craft malicious URLs that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a URL is returned as a redirect, some browsers will follow it to a third-party, untrusted site. This issue does not allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens by itself. However, an attacker could exploit this issue as part of a phishing attack designed to steal user credentials. The `DefaultIdentityServerInteractionService` methods `GetAuthorizationContextAsync` and `IsValidReturnUrl` may return non-null and true for malicious URLs, indicating incorrectly that they can be safely redirected to. Other vulnerable methods include `ServerUrlExtensions.GetIdentityServerRelativeUrl`, `ReturnUrlParser.ParseAsync`, `OidcReturnUrlParser.ParseAsync`, `ReturnUrlParser.IsValidReturnUrl`, and `OidcReturnUrlParser.IsValidReturnUrl`. **Recommendations** For Duende IdentityServer versions 5.1 and earlier, and all versions of IdentityServer4, consider updating to a supported version of Duende IdentityServer. For Duende IdentityServer versions 6.0 through 6.0.4, update to version 6.0.5 or later. For Duende IdentityServer versions 6.1 through 6.1.7, update to version 6.1.8 or later. For Duende IdentityServer versions 6.2 through 6.2.4, update to version 6.2.5 or later. For Duende IdentityServer versions 6.3 through 6.3.9, update to version 6.3.10 or later. For Duende IdentityServer versions 7.0 through 7.0.5, update to version 7.0.6 or later. If upgrading is not possible, use `IUrlHelper.IsLocalUrl` from ASP.NET Core to validate return URLs in user interface code in the IdentityServer host.