CVE-2023-36820

2023-10-0914:15:10

CWE-284

[email protected]

web.nvd.nist.gov

micronaut security

oidc

vulnerability

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

21.7%

JSON

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.

Affected configurations

Nvd

Node

objectcomputingmicronaut_securityRange<3.1.2

objectcomputingmicronaut_securityRange3.2.0–3.2.4

objectcomputingmicronaut_securityRange3.3.0–3.3.2

objectcomputingmicronaut_securityRange3.4.0–3.4.3

objectcomputingmicronaut_securityRange3.5.0–3.5.3

objectcomputingmicronaut_securityRange3.6.0–3.6.6

objectcomputingmicronaut_securityRange3.7.0–3.7.4

objectcomputingmicronaut_securityRange3.8.0–3.8.4

objectcomputingmicronaut_securityRange3.9.0–3.9.6

objectcomputingmicronaut_securityRange3.10.0–3.10.2

objectcomputingmicronaut_securityMatch3.11.0

VendorProductVersionCPE
objectcomputingmicronaut_security*cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*
objectcomputingmicronaut_security3.11.0cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
objectcomputing	micronaut_security	*	cpe:2.3:a:objectcomputing:micronaut_security::::::::
objectcomputing	micronaut_security	3.11.0	cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:::::::*