PT-2024-35077 · Duende · Duende.Accesstokenmanagement.Openidconnect
Natelaff
·
Published
2024-11-07
·
Updated
2024-11-08
·
CVE-2024-51987
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Duende.AccessTokenManagement.OpenIdConnect versions prior to 3.0.1
Description
Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by
AddUserAccessTokenHttpClient may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled HttpClient instances, which may be used by a different user. Instead of using AddUserAccessTokenHttpClient to create an HttpClient that automatically adds a managed token to outgoing requests, you can use the HttpConext.GetUserAccessTokenAsync extension method or the IUserTokenManagementService.GetAccessTokenAsync method.Recommendations
For versions prior to 3.0.1, upgrade to Duende.AccessTokenManagement.OpenIdConnect 3.0.1 to fix the issue.
As a temporary workaround, consider using the
HttpConext.GetUserAccessTokenAsync extension method or the IUserTokenManagementService.GetAccessTokenAsync method instead of AddUserAccessTokenHttpClient to create an HttpClient that automatically adds a managed token to outgoing requests.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Duende.Accesstokenmanagement.Openidconnect