GHSA-rv9j-c866-gp5h: Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability

Package

nuget Microsoft.IdentityModel.Protocols.SignedHttpRequest (NuGet)

Affected versions

< 6.34.0

>= 7.0.0-preview, < 7.1.2

Patched versions

6.34.0

7.1.2

Description

Impact

What kind of vulnerability is it? Who is impacted?
Anyone leveraging the SignedHttpRequestprotocol or the SignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts the jkuclaim by default for the SignedHttpRequestprotocol. This raises the possibility to make any remote or local HTTP GET request.

Patches

Has the problem been patched? What versions should users upgrade to?
The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
No, users must upgrade.

References

Are there any links users can visit to find out more?
https://aka.ms/IdentityModel/Jan2024/jku

References

• GHSA-rv9j-c866-gp5h
• https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0
• https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2

jennyf19 published to AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet

Jan 9, 2024

Published to the GitHub Advisory Database

Jan 9, 2024

Reviewed

Jan 9, 2024

Last updated

Jan 9, 2024