CVE-2024-49755 (GCVE-0-2024-49755)
Vulnerability from cvelistv5 – Published: 2024-10-28 19:44 – Updated: 2024-10-29 17:54
VLAI?
Summary
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DuendeSoftware | IdentityServer |
Affected:
>= 7.0.0, < 7.0.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T17:54:15.796016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T17:54:35.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityServer",
"vendor": "DuendeSoftware",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer\u0027s local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T19:44:15.536Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc"
},
{
"name": "https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac"
}
],
"source": {
"advisory": "GHSA-v9xq-2mvm-x8xc",
"discovery": "UNKNOWN"
},
"title": "Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49755",
"datePublished": "2024-10-28T19:44:15.536Z",
"dateReserved": "2024-10-18T13:43:23.453Z",
"dateUpdated": "2024-10-29T17:54:35.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer\u0027s local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs.\"}, {\"lang\": \"es\", \"value\": \"Duende IdentityServer es un framework de trabajo de OpenID Connect y OAuth 2.x para ASP.NET Core. El controlador de autenticaci\\u00f3n de API local de IdentityServer realiza una validaci\\u00f3n insuficiente de la reclamaci\\u00f3n cnf en tokens de acceso DPoP. Esto permite que un atacante utilice tokens de acceso DPoP filtrados en endpoints de API locales incluso sin poseer la clave privada para firmar tokens de prueba. Tenga en cuenta que esto solo afecta a los endpoints personalizados dentro de una implementaci\\u00f3n de IdentityServer que hayan utilizado expl\\u00edcitamente LocalApiAuthenticationHandler para la autenticaci\\u00f3n. Esta vulnerabilidad est\\u00e1 corregida en IdentityServer 7.0.8. La versi\\u00f3n 6.3 y anteriores no se ven afectadas, ya que no admiten DPoP en API locales.\"}]",
"id": "CVE-2024-49755",
"lastModified": "2024-10-29T14:34:50.257",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"baseScore\": 3.1, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 1.4}]}",
"published": "2024-10-28T20:15:06.297",
"references": "[{\"url\": \"https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc\", \"source\": \"security-advisories@github.com\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-49755\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-28T20:15:06.297\",\"lastModified\":\"2024-10-29T14:34:50.257\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer\u0027s local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs.\"},{\"lang\":\"es\",\"value\":\"Duende IdentityServer es un framework de trabajo de OpenID Connect y OAuth 2.x para ASP.NET Core. El controlador de autenticaci\u00f3n de API local de IdentityServer realiza una validaci\u00f3n insuficiente de la reclamaci\u00f3n cnf en tokens de acceso DPoP. Esto permite que un atacante utilice tokens de acceso DPoP filtrados en endpoints de API locales incluso sin poseer la clave privada para firmar tokens de prueba. Tenga en cuenta que esto solo afecta a los endpoints personalizados dentro de una implementaci\u00f3n de IdentityServer que hayan utilizado expl\u00edcitamente LocalApiAuthenticationHandler para la autenticaci\u00f3n. Esta vulnerabilidad est\u00e1 corregida en IdentityServer 7.0.8. La versi\u00f3n 6.3 y anteriores no se ven afectadas, ya que no admiten DPoP en API locales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-49755\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-29T17:54:15.796016Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-29T17:54:32.249Z\"}}], \"cna\": {\"title\": \"Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs\", \"source\": {\"advisory\": \"GHSA-v9xq-2mvm-x8xc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"DuendeSoftware\", \"product\": \"IdentityServer\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 7.0.0, \u003c 7.0.8\"}]}], \"references\": [{\"url\": \"https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc\", \"name\": \"https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac\", \"name\": \"https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer\u0027s local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-28T19:44:15.536Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-49755\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-29T17:54:35.440Z\", \"dateReserved\": \"2024-10-18T13:43:23.453Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-10-28T19:44:15.536Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…