Search criteria
3 vulnerabilities found for micronaut_security by objectcomputing
FKIE_CVE-2023-36820
Vulnerability from fkie_nvd - Published: 2023-10-09 14:15 - Updated: 2024-11-21 08:10
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "670F1AC9-632E-4D47-9492-9BAC0084BE0E",
"versionEndExcluding": "3.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "813AFD3C-E241-4376-AAF7-C4B276055121",
"versionEndExcluding": "3.2.4",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9626C2B1-79E6-4908-9ADF-E520DFC3402C",
"versionEndExcluding": "3.3.2",
"versionStartIncluding": "3.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FBCDEED9-3639-4D90-9808-F27F9E2FB02B",
"versionEndExcluding": "3.4.3",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FDC29054-500C-4B79-BDD5-B48D989D02E9",
"versionEndExcluding": "3.5.3",
"versionStartIncluding": "3.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA9D354C-1D89-4B68-AF7C-D712F0A1A8AD",
"versionEndExcluding": "3.6.6",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AE52168-0CAF-4BF7-B88B-AF79149F6919",
"versionEndExcluding": "3.7.4",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71B1B0A7-CCA3-4199-BC32-37C1138C6BF5",
"versionEndExcluding": "3.8.4",
"versionStartIncluding": "3.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA7B0DE4-ACD6-47AC-8059-9D9B97876B68",
"versionEndExcluding": "3.9.6",
"versionStartIncluding": "3.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4476038E-A854-4946-9CBF-42E2253B17D9",
"versionEndExcluding": "3.10.2",
"versionStartIncluding": "3.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "15398E49-FF87-4B88-B9B3-B326709E26AD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
},
{
"lang": "es",
"value": "Micronaut Security es una soluci\u00f3n de seguridad para aplicaciones. Antes de las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11.1, IdTokenClaimsValidator omite Validaci\u00f3n de reclamo `aud` si el token es emitido por el mismo emisor/proveedor de identidad. Cualquier configuraci\u00f3n de OIDC que utilice Micronaut en la que existan varias aplicaciones OIDC para el mismo emisor, pero la autenticaci\u00f3n de token no debe compartirse. Este problema se solucion\u00f3 en las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11. 1."
}
],
"id": "CVE-2023-36820",
"lastModified": "2024-11-21T08:10:40.067",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-09T14:15:10.640",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2023-36820 (GCVE-0-2023-36820)
Vulnerability from cvelistv5 – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39
VLAI?
Title
micronaut security has invalid IdTokenClaimsValidator logic on aud
Summary
Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
Severity ?
4.8 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| micronaut-projects | micronaut-security |
Affected:
>= 3.11.0, < 3.11.1
Affected: >= 3.10.0, < 3.10.2 Affected: >= 3.9.0, < 3.9.6 Affected: >= 3.8.0, < 3.8.4 Affected: >= 3.7.0, < 3.7.4 Affected: >= 3.6.0, < 3.6.6 Affected: >= 3.5.0, < 3.5.3 Affected: >= 3.4.0, < 3.4.3 Affected: >= 3.3.0, < 3.3.2 Affected: >= 3.2.0, < 3.2.4 Affected: >= 3.1.0, < 3.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36820",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:38:54.670086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:39:04.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "micronaut-security",
"vendor": "micronaut-projects",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.11.1"
},
{
"status": "affected",
"version": "\u003e= 3.10.0, \u003c 3.10.2"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.6"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.4"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.4"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.6.6"
},
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T13:30:26.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"source": {
"advisory": "GHSA-qw22-8w9r-864h",
"discovery": "UNKNOWN"
},
"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36820",
"datePublished": "2023-10-09T13:30:26.387Z",
"dateReserved": "2023-06-27T15:43:18.385Z",
"dateUpdated": "2024-09-19T14:39:04.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36820 (GCVE-0-2023-36820)
Vulnerability from nvd – Published: 2023-10-09 13:30 – Updated: 2024-09-19 14:39
VLAI?
Title
micronaut security has invalid IdTokenClaimsValidator logic on aud
Summary
Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
Severity ?
4.8 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| micronaut-projects | micronaut-security |
Affected:
>= 3.11.0, < 3.11.1
Affected: >= 3.10.0, < 3.10.2 Affected: >= 3.9.0, < 3.9.6 Affected: >= 3.8.0, < 3.8.4 Affected: >= 3.7.0, < 3.7.4 Affected: >= 3.6.0, < 3.6.6 Affected: >= 3.5.0, < 3.5.3 Affected: >= 3.4.0, < 3.4.3 Affected: >= 3.3.0, < 3.3.2 Affected: >= 3.2.0, < 3.2.4 Affected: >= 3.1.0, < 3.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36820",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:38:54.670086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:39:04.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "micronaut-security",
"vendor": "micronaut-projects",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.11.1"
},
{
"status": "affected",
"version": "\u003e= 3.10.0, \u003c 3.10.2"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.6"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.4"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.4"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.6.6"
},
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T13:30:26.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"
},
{
"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"
}
],
"source": {
"advisory": "GHSA-qw22-8w9r-864h",
"discovery": "UNKNOWN"
},
"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36820",
"datePublished": "2023-10-09T13:30:26.387Z",
"dateReserved": "2023-06-27T15:43:18.385Z",
"dateUpdated": "2024-09-19T14:39:04.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}