Vulnerability-Lookup

GHSA-QW22-8W9R-864H

Vulnerability from github – Published: 2023-10-05 20:55 – Updated: 2023-10-13 22:11

Summary

io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud

Details

Summary

IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider.

Details

See https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202

This logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.

Workaround exists by setting micronaut.security.token.jwt.claims-validators.audience with valid values. micronaut.security.token.jwt.claims-validators.openid-idtoken can be kept as default on.

PoC

Should probably be:

                return issuer.equalsIgnoreCase(iss) &&
                        audiences.contains(clientId) &&
                                validateAzp(claims, clientId, audiences);

Impact

Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.

Mitigation

Please upgrade to a patched micronaut-security-oauth2 release as soon as possible.

If you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of IdTokenClaimsValidatorReplacement

```java package cve;

import io.micronaut.context.annotation.Replaces; import io.micronaut.context.annotation.Requires; import io.micronaut.core.annotation.NonNull; import io.micronaut.core.util.StringUtils; import io.micronaut.security.config.SecurityConfigurationProperties; import io.micronaut.security.oauth2.client.IdTokenClaimsValidator; import io.micronaut.security.oauth2.configuration.OauthClientConfiguration; import io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration; import io.micronaut.security.token.jwt.generator.claims.JwtClaims; import io.micronaut.security.token.jwt.validator.JwtClaimsValidatorConfigurationProperties;

import javax.inject.Singleton; import java.net.URL; import java.util.Collection; import java.util.List; import java.util.Optional;

@Requires(property = SecurityConfigurationProperties.PREFIX + ".authentication", value = "idtoken") @Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + ".openid-idtoken", notEquals = StringUtils.FALSE) @Singleton @Replaces(IdTokenClaimsValidator.class) public class IdTokenClaimsValidatorReplacement extends IdTokenClaimsValidator { public IdTokenClaimsValidatorReplacement(Collection oauthClientConfigurations) { super(oauthClientConfigurations); }

@Override
protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims,
                                               @NonNull String iss,
                                               @NonNull List<String> audiences,
                                               @NonNull String clientId,
                                               @NonNull OpenIdClientConfiguration openIdClientConfiguration) {
    if (openIdClientConfiguration.getIssuer().isPresent()) {
        Optional<URL> issuerOptional = openIdClientConfiguration.getIssuer();
        if (issuerOptional.isPresent()) {
            String issuer = issuerOptional.get().toString();
            return issuer.equalsIgnoreCase(iss) &&
                    audiences.contains(clientId) &&
                            validateAzp(claims, clientId, audiences);
        }
    }
    return false;
}

} ``

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.11.0"
            },
            {
              "fixed": "3.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0"
            },
            {
              "fixed": "3.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.6.0"
            },
            {
              "fixed": "3.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "3.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut.security:micronaut-security-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-05T20:55:14Z",
    "nvd_published_at": "2023-10-09T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nIdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider.\n\n### Details\n\nSee https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202\n\nThis logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. \n\nWorkaround exists by setting `micronaut.security.token.jwt.claims-validators.audience` with valid values. \n `micronaut.security.token.jwt.claims-validators.openid-idtoken` can be kept as default on.\n\n### PoC\n\nShould probably be:\n\n```java\n                return issuer.equalsIgnoreCase(iss) \u0026\u0026\n                        audiences.contains(clientId) \u0026\u0026\n                                validateAzp(claims, clientId, audiences);\n```\n\n### Impact\n\nAny OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.\n\n\n### Mitigation\n\nPlease upgrade to a patched `micronaut-security-oauth2` release as soon as possible.  \n\nIf you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of `IdTokenClaimsValidatorReplacement`\n\n```java\npackage cve;\n\nimport io.micronaut.context.annotation.Replaces;\nimport io.micronaut.context.annotation.Requires;\nimport io.micronaut.core.annotation.NonNull;\nimport io.micronaut.core.util.StringUtils;\nimport io.micronaut.security.config.SecurityConfigurationProperties;\nimport io.micronaut.security.oauth2.client.IdTokenClaimsValidator;\nimport io.micronaut.security.oauth2.configuration.OauthClientConfiguration;\nimport io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration;\nimport io.micronaut.security.token.jwt.generator.claims.JwtClaims;\nimport io.micronaut.security.token.jwt.validator.JwtClaimsValidatorConfigurationProperties;\n\nimport javax.inject.Singleton;\nimport java.net.URL;\nimport java.util.Collection;\nimport java.util.List;\nimport java.util.Optional;\n\n@Requires(property = SecurityConfigurationProperties.PREFIX + \".authentication\", value = \"idtoken\")\n@Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + \".openid-idtoken\", notEquals = StringUtils.FALSE)\n@Singleton\n@Replaces(IdTokenClaimsValidator.class)\npublic class IdTokenClaimsValidatorReplacement extends IdTokenClaimsValidator {\n    public IdTokenClaimsValidatorReplacement(Collection\u003cOauthClientConfiguration\u003e oauthClientConfigurations) {\n        super(oauthClientConfigurations);\n    }\n\n    @Override\n    protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims,\n                                                   @NonNull String iss,\n                                                   @NonNull List\u003cString\u003e audiences,\n                                                   @NonNull String clientId,\n                                                   @NonNull OpenIdClientConfiguration openIdClientConfiguration) {\n        if (openIdClientConfiguration.getIssuer().isPresent()) {\n            Optional\u003cURL\u003e issuerOptional = openIdClientConfiguration.getIssuer();\n            if (issuerOptional.isPresent()) {\n                String issuer = issuerOptional.get().toString();\n                return issuer.equalsIgnoreCase(iss) \u0026\u0026\n                        audiences.contains(clientId) \u0026\u0026\n                                validateAzp(claims, clientId, audiences);\n            }\n        }\n        return false;\n    }\n}\n``",
  "id": "GHSA-qw22-8w9r-864h",
  "modified": "2023-10-13T22:11:53Z",
  "published": "2023-10-05T20:55:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micronaut-projects/micronaut-security"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud"
}

CVE-2023-36820 (GCVE-0-2023-36820)

Vulnerability from cvelistv5 – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39

Title

micronaut security has invalid IdTokenClaimsValidator logic on aud

Summary

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-284 - Improper Access Control

Assigner

GitHub_M

References

URL

Tags

	https://github.com/micronaut-projects/micronaut-s…	x_refsource_CONFIRM
	https://github.com/micronaut-projects/micronaut-s…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	micronaut-projects	micronaut-security	Affected: >= 3.11.0, < 3.11.1 Affected: >= 3.10.0, < 3.10.2 Affected: >= 3.9.0, < 3.9.6 Affected: >= 3.8.0, < 3.8.4 Affected: >= 3.7.0, < 3.7.4 Affected: >= 3.6.0, < 3.6.6 Affected: >= 3.5.0, < 3.5.3 Affected: >= 3.4.0, < 3.4.3 Affected: >= 3.3.0, < 3.3.2 Affected: >= 3.2.0, < 3.2.4 Affected: >= 3.1.0, < 3.1.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:01:09.850Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
          },
          {
            "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-36820",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-19T14:38:54.670086Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-19T14:39:04.617Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "micronaut-security",
          "vendor": "micronaut-projects",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.11.0, \u003c 3.11.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.10.0, \u003c 3.10.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.9.0, \u003c 3.9.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.8.0, \u003c 3.8.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.7.0, \u003c 3.7.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.6.0, \u003c 3.6.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.5.0, \u003c 3.5.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.4.0, \u003c 3.4.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.3.0, \u003c 3.3.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.2.0, \u003c 3.2.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-09T13:30:26.387Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
        },
        {
          "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
        }
      ],
      "source": {
        "advisory": "GHSA-qw22-8w9r-864h",
        "discovery": "UNKNOWN"
      },
      "title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-36820",
    "datePublished": "2023-10-09T13:30:26.387Z",
    "dateReserved": "2023-06-27T15:43:18.385Z",
    "dateUpdated": "2024-09-19T14:39:04.617Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-QW22-8W9R-864H

Summary

Details

PoC

Impact

Mitigation

CVE-2023-36820 (GCVE-0-2023-36820)

Tags

Sightings

Nomenclature