Rymeskar

**Name of the Vulnerable Software and Affected Versions** Microsoft.IdentityModel versions prior to 6.34.0 Microsoft.IdentityModel versions prior to 7.1.2 **Description** The issue affects IdentityModel Extensions for .NET, which provide assemblies for web developers to use federated identity providers for establishing the caller's identity. Anyone leveraging the `SignedHttpRequest` protocol or the `SignedHttpRequestValidator` is vulnerable. Microsoft.IdentityModel trusts the `jku` claim by default for the `SignedHttpRequest` protocol, allowing the possibility to make any remote or local `HTTP GET` request. **Recommendations** For Microsoft.IdentityModel versions prior to 6.34.0, update to 6.34.0 or higher. For Microsoft.IdentityModel versions prior to 7.1.2, update to 7.1.2 or higher.