{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36820", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-27T15:43:18.385Z", "datePublished": "2023-10-09T13:30:26.387Z", "dateUpdated": "2024-09-19T14:39:04.617Z"}, "containers": {"cna": {"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"}, {"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "tags": ["x_refsource_MISC"], "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"}], "affected": [{"vendor": "micronaut-projects", "product": "micronaut-security", "versions": [{"version": ">= 3.11.0, < 3.11.1", "status": "affected"}, {"version": ">= 3.10.0, < 3.10.2", "status": "affected"}, {"version": ">= 3.9.0, < 3.9.6", "status": "affected"}, {"version": ">= 3.8.0, < 3.8.4", "status": "affected"}, {"version": ">= 3.7.0, < 3.7.4", "status": "affected"}, {"version": ">= 3.6.0, < 3.6.6", "status": "affected"}, {"version": ">= 3.5.0, < 3.5.3", "status": "affected"}, {"version": ">= 3.4.0, < 3.4.3", "status": "affected"}, {"version": ">= 3.3.0, < 3.3.2", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.4", "status": "affected"}, {"version": ">= 3.1.0, < 3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-09T13:30:26.387Z"}, "descriptions": [{"lang": "en", "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"}], "source": {"advisory": "GHSA-qw22-8w9r-864h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:01:09.850Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"}, {"name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T14:38:54.670086Z", "id": "CVE-2023-36820", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T14:39:04.617Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:01:09.850Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-36820", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T14:38:54.670086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T14:38:59.886Z"}}], "cna": {"title": "micronaut security has invalid IdTokenClaimsValidator logic on aud", "source": {"advisory": "GHSA-qw22-8w9r-864h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "micronaut-projects", "product": "micronaut-security", "versions": [{"status": "affected", "version": ">= 3.11.0, < 3.11.1"}, {"status": "affected", "version": ">= 3.10.0, < 3.10.2"}, {"status": "affected", "version": ">= 3.9.0, < 3.9.6"}, {"status": "affected", "version": ">= 3.8.0, < 3.8.4"}, {"status": "affected", "version": ">= 3.7.0, < 3.7.4"}, {"status": "affected", "version": ">= 3.6.0, < 3.6.6"}, {"status": "affected", "version": ">= 3.5.0, < 3.5.3"}, {"status": "affected", "version": ">= 3.4.0, < 3.4.3"}, {"status": "affected", "version": ">= 3.3.0, < 3.3.2"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.4"}, {"status": "affected", "version": ">= 3.1.0, < 3.1.2"}]}], "references": [{"url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "name": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "name": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-09T13:30:26.387Z"}}}, "cveMetadata": {"cveId": "CVE-2023-36820", "state": "PUBLISHED", "dateUpdated": "2024-09-19T14:39:04.617Z", "dateReserved": "2023-06-27T15:43:18.385Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-09T13:30:26.387Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "670F1AC9-632E-4D47-9492-9BAC0084BE0E", "versionEndExcluding": "3.1.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "813AFD3C-E241-4376-AAF7-C4B276055121", "versionEndExcluding": "3.2.4", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "9626C2B1-79E6-4908-9ADF-E520DFC3402C", "versionEndExcluding": "3.3.2", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "FBCDEED9-3639-4D90-9808-F27F9E2FB02B", "versionEndExcluding": "3.4.3", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDC29054-500C-4B79-BDD5-B48D989D02E9", "versionEndExcluding": "3.5.3", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA9D354C-1D89-4B68-AF7C-D712F0A1A8AD", "versionEndExcluding": "3.6.6", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AE52168-0CAF-4BF7-B88B-AF79149F6919", "versionEndExcluding": "3.7.4", "versionStartIncluding": "3.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "71B1B0A7-CCA3-4199-BC32-37C1138C6BF5", "versionEndExcluding": "3.8.4", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA7B0DE4-ACD6-47AC-8059-9D9B97876B68", "versionEndExcluding": "3.9.6", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "4476038E-A854-4946-9CBF-42E2253B17D9", "versionEndExcluding": "3.10.2", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:objectcomputing:micronaut_security:3.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "15398E49-FF87-4B88-B9B3-B326709E26AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n"}, {"lang": "es", "value": "Micronaut Security es una soluci\u00f3n de seguridad para aplicaciones. Antes de las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11.1, IdTokenClaimsValidator omite Validaci\u00f3n de reclamo `aud` si el token es emitido por el mismo emisor/proveedor de identidad. Cualquier configuraci\u00f3n de OIDC que utilice Micronaut en la que existan varias aplicaciones OIDC para el mismo emisor, pero la autenticaci\u00f3n de token no debe compartirse. Este problema se solucion\u00f3 en las versiones 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2 y 3.11. 1."}], "id": "CVE-2023-36820", "lastModified": "2024-11-21T08:10:40.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-09T14:15:10.640", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}