6.5

CVE-2023-36820

Exploit

micronaut security has invalid IdTokenClaimsValidator logic on aud

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ObjectcomputingMicronaut Security Version < 3.1.2
ObjectcomputingMicronaut Security Version >= 3.2.0 < 3.2.4
ObjectcomputingMicronaut Security Version >= 3.3.0 < 3.3.2
ObjectcomputingMicronaut Security Version >= 3.4.0 < 3.4.3
ObjectcomputingMicronaut Security Version >= 3.5.0 < 3.5.3
ObjectcomputingMicronaut Security Version >= 3.6.0 < 3.6.6
ObjectcomputingMicronaut Security Version >= 3.7.0 < 3.7.4
ObjectcomputingMicronaut Security Version >= 3.8.0 < 3.8.4
ObjectcomputingMicronaut Security Version >= 3.9.0 < 3.9.6
ObjectcomputingMicronaut Security Version >= 3.10.0 < 3.10.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.45% 0.357
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com 4.8 2.2 2.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980
Patch
https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h
Third Party Advisory
Exploit
Mitigation