Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36820: Invalid IdTokenClaimsValidator logic on aud

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.

CVE
#git#java#oauth#auth#maven

Package

maven io.micronaut.security:micronaut-security-oauth2 (Maven)

Affected versions

>= 3.11.0, < 3.11.1

>= 3.10.0, < 3.10.2

>= 3.9.0, < 3.9.6

>= 3.8.0, < 3.8.4

>= 3.7.0, < 3.7.4

>= 3.6.0, < 3.6.6

>= 3.5.0, < 3.5.3

>= 3.4.0, < 3.4.3

>= 3.3.0, < 3.3.2

>= 3.2.0, < 3.2.4

>= 3.1.0, < 3.1.2

< 3.1

Patched versions

>= 3.11.1

>= 3.10.2

>= 3.9.6

>= 3.8.4

>= 3.7.4

>= 3.6.6

>= 3.5.3

>= 3.4.3

>= 3.3.2

>= 3.2.4

>= 3.1.2

n/a

Description

Summary

IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider.

Details

See https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202

This logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.

Workaround exists by setting micronaut.security.token.jwt.claims-validators.audience with valid values.
micronaut.security.token.jwt.claims-validators.openid-idtoken can be kept as default on.

PoC

Should probably be:

            return issuer.equalsIgnoreCase(iss) &&
                    audiences.contains(clientId) &&
                            validateAzp(claims, clientId, audiences);

Impact

Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.

Related news

GHSA-qw22-8w9r-864h: io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud

### Summary IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. ### Details See https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202 This logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. Workaround exists by setting `micronaut.security.token.jwt.claims-validators.audience` with valid values. `micronaut.security.token.jwt.claims-validators.openid-idtoken` can be kept as default on. ### PoC Should probably be: ```java return issuer.equalsIgnoreCase(iss) && audiences.contains(clientId) && validateAzp(claims, clientId, audiences); ``` ### Impact Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907