Description

Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.

Remediation

References

https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980

https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h

Related Vulnerabilities

CVE-2021-31522 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2019-14862 Vulnerability in maven package org.webjars:knockout

CVE-2021-24033 Vulnerability in npm package react-dev-utils

CVE-2020-16040 Vulnerability in npm package electron

CVE-2021-21368 Vulnerability in maven package org.webjars.npm:msgpack5

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Patch Exploit Mitigation Third Party Advisory NVD-CWE-noinfo