Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ydjlqLWM4NjYtZ3A1aM4AA4Sp
Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability
Impact
What kind of vulnerability is it? Who is impacted?
Anyone leveraging the SignedHttpRequestprotocol or the SignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts the jkuclaim by default for the SignedHttpRequestprotocol. This raises the possibility to make any remote or local HTTP GET request.
Patches
Has the problem been patched? What versions should users upgrade to?
The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No, users must upgrade.
References
Are there any links users can visit to find out more?
https://aka.ms/IdentityModel/Jan2024/jku
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydjlqLWM4NjYtZ3A1aM4AA4Sp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 10 months ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Identifiers: GHSA-rv9j-c866-gp5h, CVE-2024-21643
References:
- https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-rv9j-c866-gp5h
- https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0
- https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2
- https://nvd.nist.gov/vuln/detail/CVE-2024-21643
- https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/jkucve
- https://github.com/advisories/GHSA-rv9j-c866-gp5h
Blast Radius: 1.0
Affected Packages
nuget:Microsoft.IdentityModel.Protocols.SignedHttpRequest
Dependent packages: 0Dependent repositories: 0
Downloads: 1,900,748 total
Affected Version Ranges: >= 7.0.0-preview, < 7.1.2, < 6.34.0
Fixed in: 7.1.2, 6.34.0
All affected versions: 6.5.0, 6.5.1, 6.6.0, 6.7.0, 6.7.1, 6.8.0, 6.9.0, 6.10.0, 6.10.1, 6.10.2, 6.11.0, 6.11.1, 6.12.0, 6.12.1, 6.12.2, 6.13.0, 6.13.1, 6.14.0, 6.14.1, 6.15.0, 6.15.1, 6.16.0, 6.17.0, 6.18.0, 6.19.0, 6.20.0, 6.21.0, 6.22.0, 6.22.1, 6.23.0, 6.23.1, 6.24.0, 6.25.0, 6.25.1, 6.26.0, 6.26.1, 6.27.0, 6.28.0, 6.28.1, 6.29.0, 6.30.0, 6.30.1, 6.31.0, 6.32.0, 6.32.1, 6.32.2, 6.32.3, 6.33.0, 7.0.0, 7.0.0-preview, 7.0.0-preview2, 7.0.0-preview3, 7.0.0-preview4, 7.0.0-preview5, 7.0.1, 7.0.2, 7.0.3
All unaffected versions: 6.34.0, 6.35.0, 6.35.1, 6.36.0, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 7.5.2, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 8.0.0, 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.2, 8.2.0, 8.2.1