CVE-2024-39694

Name of the Vulnerable Software and Affected Versions Duende IdentityServer versions 5.1 and earlier Duende IdentityServer versions 6.0 through 6.0.4 Duende IdentityServer versions 6.1 through 6.1.7 Duende IdentityServer versions 6.2 through 6.2.4 Duende IdentityServer versions 6.3 through 6.3.9 Duende IdentityServer versions 7.0 through 7.0.5 All versions of IdentityServer4

Description It is possible for an attacker to craft malicious URLs that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a URL is returned as a redirect, some browsers will follow it to a third-party, untrusted site. This issue does not allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens by itself. However, an attacker could exploit this issue as part of a phishing attack designed to steal user credentials. The DefaultIdentityServerInteractionService methods GetAuthorizationContextAsync and IsValidReturnUrl may return non-null and true for malicious URLs, indicating incorrectly that they can be safely redirected to. Other vulnerable methods include ServerUrlExtensions.GetIdentityServerRelativeUrl, ReturnUrlParser.ParseAsync, OidcReturnUrlParser.ParseAsync, ReturnUrlParser.IsValidReturnUrl, and OidcReturnUrlParser.IsValidReturnUrl.

Recommendations For Duende IdentityServer versions 5.1 and earlier, and all versions of IdentityServer4, consider updating to a supported version of Duende IdentityServer. For Duende IdentityServer versions 6.0 through 6.0.4, update to version 6.0.5 or later. For Duende IdentityServer versions 6.1 through 6.1.7, update to version 6.1.8 or later. For Duende IdentityServer versions 6.2 through 6.2.4, update to version 6.2.5 or later. For Duende IdentityServer versions 6.3 through 6.3.9, update to version 6.3.10 or later. For Duende IdentityServer versions 7.0 through 7.0.5, update to version 7.0.6 or later. If upgrading is not possible, use IUrlHelper.IsLocalUrl from ASP.NET Core to validate return URLs in user interface code in the IdentityServer host.