PT-2024-18993 · Microsoft · Microsoft.Identitymodel

Brentschmaltz

Published

2024-01-09

Updated

2024-01-19

CVE-2024-21643

CVSS v3.1

7.1

High

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions Microsoft.IdentityModel versions prior to 6.34.0 Microsoft.IdentityModel versions prior to 7.1.2

Description The issue affects IdentityModel Extensions for .NET, which provide assemblies for web developers to use federated identity providers for establishing the caller's identity. Anyone leveraging the SignedHttpRequest protocol or the SignedHttpRequestValidator is vulnerable. Microsoft.IdentityModel trusts the jku claim by default for the SignedHttpRequest protocol, allowing the possibility to make any remote or local HTTP GET request.

Recommendations For Microsoft.IdentityModel versions prior to 6.34.0, update to 6.34.0 or higher. For Microsoft.IdentityModel versions prior to 7.1.2, update to 7.1.2 or higher.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2024-21643

GHSA-RV9J-C866-GP5H

Affected Products

Microsoft.Identitymodel

PT-2024-18993 · Microsoft · Microsoft.Identitymodel

CVE-2024-21643

Weakness Enumeration

Related Identifiers

Affected Products

References · 13