7.5

CVE-2021-44878

EPSS 0.14%
Veröffentlicht 06.01.2022 13:15:08
Zuletzt bearbeitet 21.11.2024 06:31:38
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pac4j ≫ Pac4j Version < 4.5.5

Pac4j ≫ Pac4j Version >= 5.0.0 < 5.3.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.345

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae

Patch

Third Party Advisory

https://openid.net/specs/openid-connect-core-1_0.html#IDToken

Third Party Advisory

Product

https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2021-44878

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-44878

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-44878

EUVD