Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Impact IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only...

PT-2024-8346 · Ivanti · Ivanti Itsm +1

Name of the Vulnerable Software and Affected Versions: Ivanti ITSM on-premise and Neurons for ITSM versions 2023.4 and earlier Description: An information disclosure issue allows an unauthenticated attacker to obtain the OIDC client secret via debug information. This is related to insufficient...