CVE-2024-10125

Name of the Vulnerable Software and Affected Versions Amazon.ApplicationLoadBalancer.Identity.AspNetCore (affected versions not specified)

Description The issue concerns the Amazon.ApplicationLoadBalancer.Identity.AspNetCore repository, which contains middleware for use with the Application Load Balancer (ALB) OpenId Connect integration in ASP.NET Core deployment scenarios. The middleware performs signature validation but fails to validate the JWT issuer and signer identity. This omission can allow an untrusted entity to sign JWTs and potentially mimic valid OIDC-federated sessions to the ALB targets if the infrastructure owner allows internet traffic to the ALB targets. It is recommended to ensure that ELB targets do not have public IP addresses.

Recommendations As a temporary workaround, consider validating the signer attribute in the JWT to match the ARN of the Application Load Balancer that the service is configured to use. Ensure any forked or derivative code includes this validation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.