{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49755", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-18T13:43:23.453Z", "datePublished": "2024-10-28T19:44:15.536Z", "dateUpdated": "2024-10-29T17:54:35.440Z"}, "containers": {"cna": {"title": "Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc"}, {"name": "https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac", "tags": ["x_refsource_MISC"], "url": "https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac"}], "affected": [{"vendor": "DuendeSoftware", "product": "IdentityServer", "versions": [{"version": ">= 7.0.0, < 7.0.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-28T19:44:15.536Z"}, "descriptions": [{"lang": "en", "value": "Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs."}], "source": {"advisory": "GHSA-v9xq-2mvm-x8xc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-29T17:54:15.796016Z", "id": "CVE-2024-49755", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T17:54:35.440Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49755", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-29T17:54:15.796016Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T17:54:32.249Z"}}], "cna": {"title": "Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs", "source": {"advisory": "GHSA-v9xq-2mvm-x8xc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "DuendeSoftware", "product": "IdentityServer", "versions": [{"status": "affected", "version": ">= 7.0.0, < 7.0.8"}]}], "references": [{"url": "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc", "name": "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac", "name": "https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-28T19:44:15.536Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49755", "state": "PUBLISHED", "dateUpdated": "2024-10-29T17:54:35.440Z", "dateReserved": "2024-10-18T13:43:23.453Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-28T19:44:15.536Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs."}, {"lang": "es", "value": "Duende IdentityServer es un framework de trabajo de OpenID Connect y OAuth 2.x para ASP.NET Core. El controlador de autenticaci\u00f3n de API local de IdentityServer realiza una validaci\u00f3n insuficiente de la reclamaci\u00f3n cnf en tokens de acceso DPoP. Esto permite que un atacante utilice tokens de acceso DPoP filtrados en endpoints de API locales incluso sin poseer la clave privada para firmar tokens de prueba. Tenga en cuenta que esto solo afecta a los endpoints personalizados dentro de una implementaci\u00f3n de IdentityServer que hayan utilizado expl\u00edcitamente LocalApiAuthenticationHandler para la autenticaci\u00f3n. Esta vulnerabilidad est\u00e1 corregida en IdentityServer 7.0.8. La versi\u00f3n 6.3 y anteriores no se ven afectadas, ya que no admiten DPoP en API locales."}], "id": "CVE-2024-49755", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-28T20:15:06.297", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/DuendeSoftware/IdentityServer/commit/f28cac921c1f545afe65af71a9327224755b6dac"}, {"source": "security-advisories@github.com", "url": "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-v9xq-2mvm-x8xc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}