CVE-2023-36820 - OpenCVE

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Objectcomputing	Micronaut Security

Configuration 1 [-]

OR	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security::::::::
	cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:::::::*

No data.

References

Link	Providers
https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980
https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h

History

Thu, 19 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-09T13:30:26.387Z

Updated: 2024-09-19T14:39:04.617Z

Reserved: 2023-06-27T15:43:18.385Z

Link: CVE-2023-36820

Vulnrichment

Updated: 2024-08-02T17:01:09.850Z

NVD

Status : Analyzed

Published: 2023-10-09T14:15:10.640

Modified: 2023-10-13T16:35:04.037

Link: CVE-2023-36820

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36820", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-27T15:43:18.385Z", "datePublished": "2023-10-09T13:30:26.387Z", "dateUpdated": "2024-09-19T14:39:04.617Z"}, "containers": {"cna": {"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"}, {"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "tags": ["x_refsource_MISC"], "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"}], "affected": [{"vendor": "micronaut-projects", "product": "micronaut-security", "versions": [{"version": ">= 3.11.0, < 3.11.1", "status": "affected"}, {"version": ">= 3.10.0, < 3.10.2", "status": "affected"}, {"version": ">= 3.9.0, < 3.9.6", "status": "affected"}, {"version": ">= 3.8.0, < 3.8.4", "status": "affected"}, {"version": ">= 3.7.0, < 3.7.4", "status": "affected"}, {"version": ">= 3.6.0, < 3.6.6", "status": "affected"}, {"version": ">= 3.5.0, < 3.5.3", "status": "affected"}, {"version": ">= 3.4.0, < 3.4.3", "status": "affected"}, {"version": ">= 3.3.0, < 3.3.2", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.4", "status": "affected"}, {"version": ">= 3.1.0, < 3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-09T13:30:26.387Z"}, "descriptions": [{"lang": "en", "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"}], "source": {"advisory": "GHSA-qw22-8w9r-864h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:01:09.850Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"}, {"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T14:38:54.670086Z", "id": "CVE-2023-36820", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T14:39:04.617Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:01:09.850Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-36820", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T14:38:54.670086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T14:38:59.886Z"}}], "cna": {"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud", "source": {"advisory": "GHSA-qw22-8w9r-864h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "micronaut-projects", "product": "micronaut-security", "versions": [{"status": "affected", "version": ">= 3.11.0, < 3.11.1"}, {"status": "affected", "version": ">= 3.10.0, < 3.10.2"}, {"status": "affected", "version": ">= 3.9.0, < 3.9.6"}, {"status": "affected", "version": ">= 3.8.0, < 3.8.4"}, {"status": "affected", "version": ">= 3.7.0, < 3.7.4"}, {"status": "affected", "version": ">= 3.6.0, < 3.6.6"}, {"status": "affected", "version": ">= 3.5.0, < 3.5.3"}, {"status": "affected", "version": ">= 3.4.0, < 3.4.3"}, {"status": "affected", "version": ">= 3.3.0, < 3.3.2"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.4"}, {"status": "affected", "version": ">= 3.1.0, < 3.1.2"}]}], "references": [{"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-09T13:30:26.387Z"}}}, "cveMetadata": {"cveId": "CVE-2023-36820", "state": "PUBLISHED", "dateUpdated": "2024-09-19T14:39:04.617Z", "dateReserved": "2023-06-27T15:43:18.385Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-09T13:30:26.387Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "670F1AC9-632E-4D47-9492-9BAC0084BE0E", "versionEndExcluding": "3.1.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "813AFD3C-E241-4376-AAF7-C4B276055121", "versionEndExcluding": "3.2.4", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "9626C2B1-79E6-4908-9ADF-E520DFC3402C", "versionEndExcluding": "3.3.2", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "FBCDEED9-3639-4D90-9808-F27F9E2FB02B", "versionEndExcluding": "3.4.3", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDC29054-500C-4B79-BDD5-B48D989D02E9", "versionEndExcluding": "3.5.3", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA9D354C-1D89-4B68-AF7C-D712F0A1A8AD", "versionEndExcluding": "3.6.6", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AE52168-0CAF-4BF7-B88B-AF79149F6919", "versionEndExcluding": "3.7.4", "versionStartIncluding": "3.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "71B1B0A7-CCA3-4199-BC32-37C1138C6BF5", "versionEndExcluding": "3.8.4", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA7B0DE4-ACD6-47AC-8059-9D9B97876B68", "versionEndExcluding": "3.9.6", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "4476038E-A854-4946-9CBF-42E2253B17D9", "versionEndExcluding": "3.10.2", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "15398E49-FF87-4B88-B9B3-B326709E26AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"}, {"lang": "es", "value": "Micronaut Security es una soluci\u00f3n de seguridad para aplicaciones. Antes de las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11.1, IdTokenClaimsValidator omite Validaci\u00f3n de reclamo `aud` si el token es emitido por el mismo emisor/proveedor de identidad. Cualquier configuraci\u00f3n de OIDC que utilice Micronaut en la que existan varias aplicaciones OIDC para el mismo emisor, pero la autenticaci\u00f3n de token no debe compartirse. Este problema se solucion\u00f3 en las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11. 1."}], "id": "CVE-2023-36820", "lastModified": "2023-10-13T16:35:04.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-09T14:15:10.640", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}