CVE-2024-21643
Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Anyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValidator`is vulnerable. Microsoft.IdentityModel trusts the `jku`claim by default for the `SignedHttpRequest`protocol. This raises the possibility to make any remote or local `HTTP GET` request. The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher.
Las extensiones IdentityModel para .NET proporcionan ensamblados para desarrolladores web que deseen utilizar proveedores de identidad federados para establecer la identidad de la persona que llama. Cualquiera que aproveche el protocolo `SignedHttpRequest` o `SignedHttpRequestValidator` es vulnerable. Microsoft.IdentityModel confĂa en el reclamo `jku` de forma predeterminada para el protocolo `SignedHttpRequest`. Esto plantea la posibilidad de realizar cualquier solicitud `HTTP GET` remota o local. La vulnerabilidad se ha solucionado en Microsoft.IdentityModel.Protocols.SignedHttpRequest. Los usuarios deben actualizar todas sus versiones de Microsoft.IdentityModel a 7.1.2 (para 7x) o superior, 6.34.0 (para 6x) o superior.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-12-29 CVE Reserved
- 2024-01-10 CVE Published
- 2024-08-01 CVE Updated
- 2024-11-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (4)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | Identitymodel Extensions Search vendor "Microsoft" for product "Identitymodel Extensions" | < 6.34.0 Search vendor "Microsoft" for product "Identitymodel Extensions" and version " < 6.34.0" | .net |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Identitymodel Extensions Search vendor "Microsoft" for product "Identitymodel Extensions" | >= 7.0.0 < 7.1.2 Search vendor "Microsoft" for product "Identitymodel Extensions" and version " >= 7.0.0 < 7.1.2" | .net |
Affected
| ||||||