Lucene search

[email protected]CVE-2023-36820

HistoryOct 09, 2023 - 2:15 p.m.

CVE-2023-36820

2023-10-0914:15:10

CWE-284

[email protected]

web.nvd.nist.gov

cve-2023-36820

micronaut security

idtokenclaimsvalidator

oidc

security patch

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.

Affected configurations

Vulners

NVD

Node

micronaut-projectsmicronaut_securityRange3.11.0–3.11.1

micronaut-projectsmicronaut_securityRange3.10.0–3.10.2

micronaut-projectsmicronaut_securityRange3.9.0–3.9.6

micronaut-projectsmicronaut_securityRange3.8.0–3.8.4

micronaut-projectsmicronaut_securityRange3.7.0–3.7.4

micronaut-projectsmicronaut_securityRange3.6.0–3.6.6

micronaut-projectsmicronaut_securityRange3.5.0–3.5.3

micronaut-projectsmicronaut_securityRange3.4.0–3.4.3

micronaut-projectsmicronaut_securityRange3.3.0–3.3.2

micronaut-projectsmicronaut_securityRange3.2.0–3.2.4

micronaut-projectsmicronaut_securityRange3.1.0–3.1.2

CPENameOperatorVersion
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.1.2
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.2.4
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.3.2
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.4.3
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.5.3
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.6.6
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.7.4
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.8.4
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.9.6
objectcomputing:micronaut_securityobjectcomputing micronaut securitylt3.10.2

CPE	Name	Operator	Version
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.1.2
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.2.4
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.3.2
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.4.3
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.5.3
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.6.6
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.7.4
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.8.4
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.9.6
objectcomputing:micronaut_security	objectcomputing micronaut security	lt	3.10.2

Rows per page:

1-10 of 111

CNA Affected

[
  {
    "vendor": "micronaut-projects",
    "product": "micronaut-security",
    "versions": [
      {
        "version": ">= 3.11.0, < 3.11.1",
        "status": "affected"
      },
      {
        "version": ">= 3.10.0, < 3.10.2",
        "status": "affected"
      },
      {
        "version": ">= 3.9.0, < 3.9.6",
        "status": "affected"
      },
      {
        "version": ">= 3.8.0, < 3.8.4",
        "status": "affected"
      },
      {
        "version": ">= 3.7.0, < 3.7.4",
        "status": "affected"
      },
      {
        "version": ">= 3.6.0, < 3.6.6",
        "status": "affected"
      },
      {
        "version": ">= 3.5.0, < 3.5.3",
        "status": "affected"
      },
      {
        "version": ">= 3.4.0, < 3.4.3",
        "status": "affected"
      },
      {
        "version": ">= 3.3.0, < 3.3.2",
        "status": "affected"
      },
      {
        "version": ">= 3.2.0, < 3.2.4",
        "status": "affected"
      },
      {
        "version": ">= 3.1.0, < 3.1.2",
        "status": "affected"
      }
    ]
  }
]