Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for micronaut_security by objectcomputing
CVE-2023-36820 (GCVE-0-2023-36820)
Vulnerability from cvelistv5 – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39
VLAI
Title
micronaut security has invalid IdTokenClaimsValidator logic on aud
Summary
Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
Severity
4.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/micronaut-projects/micronaut-s… | x_refsource_CONFIRM |
| https://github.com/micronaut-projects/micronaut-s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| micronaut-projects | micronaut-security |
Affected:
>= 3.11.0, < 3.11.1
Affected: >= 3.10.0, < 3.10.2 Affected: >= 3.9.0, < 3.9.6 Affected: >= 3.8.0, < 3.8.4 Affected: >= 3.7.0, < 3.7.4 Affected: >= 3.6.0, < 3.6.6 Affected: >= 3.5.0, < 3.5.3 Affected: >= 3.4.0, < 3.4.3 Affected: >= 3.3.0, < 3.3.2 Affected: >= 3.2.0, < 3.2.4 Affected: >= 3.1.0, < 3.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36820",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:38:54.670086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:39:04.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "micronaut-security",
"vendor": "micronaut-projects",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.11.1"
},
{
"status": "affected",
"version": "\u003e= 3.10.0, \u003c 3.10.2"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.6"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.4"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.4"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.6.6"
},
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T13:30:26.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"source": {
"advisory": "GHSA-qw22-8w9r-864h",
"discovery": "UNKNOWN"
},
"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36820",
"datePublished": "2023-10-09T13:30:26.387Z",
"dateReserved": "2023-06-27T15:43:18.385Z",
"dateUpdated": "2024-09-19T14:39:04.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36820 (GCVE-0-2023-36820)
Vulnerability from nvd – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39
VLAI
Title
micronaut security has invalid IdTokenClaimsValidator logic on aud
Summary
Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
Severity
4.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/micronaut-projects/micronaut-s… | x_refsource_CONFIRM |
| https://github.com/micronaut-projects/micronaut-s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| micronaut-projects | micronaut-security |
Affected:
>= 3.11.0, < 3.11.1
Affected: >= 3.10.0, < 3.10.2 Affected: >= 3.9.0, < 3.9.6 Affected: >= 3.8.0, < 3.8.4 Affected: >= 3.7.0, < 3.7.4 Affected: >= 3.6.0, < 3.6.6 Affected: >= 3.5.0, < 3.5.3 Affected: >= 3.4.0, < 3.4.3 Affected: >= 3.3.0, < 3.3.2 Affected: >= 3.2.0, < 3.2.4 Affected: >= 3.1.0, < 3.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36820",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:38:54.670086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:39:04.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "micronaut-security",
"vendor": "micronaut-projects",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.11.1"
},
{
"status": "affected",
"version": "\u003e= 3.10.0, \u003c 3.10.2"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.6"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.4"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.4"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.6.6"
},
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T13:30:26.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"source": {
"advisory": "GHSA-qw22-8w9r-864h",
"discovery": "UNKNOWN"
},
"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36820",
"datePublished": "2023-10-09T13:30:26.387Z",
"dateReserved": "2023-06-27T15:43:18.385Z",
"dateUpdated": "2024-09-19T14:39:04.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}