cvelistv5 - CVE-2024-51987

CVE-2024-51987

Vulnerability from cvelistv5

Published

2024-11-07 23:36

Modified

2024-11-08 15:57

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary

Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user. Instead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing requests, you can use the `HttpConext.GetUserAccessTokenAsync` extension method or the `IUserTokenManagementService.GetAccessTokenAsync` method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5

Impacted products

	Vendor	Product	Version
	DuendeSoftware	Duende.AccessTokenManagement	Version: = 3.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51987",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-08T15:57:43.125942Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-08T15:57:51.304Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Duende.AccessTokenManagement",
          "vendor": "DuendeSoftware",
          "versions": [
            {
              "status": "affected",
              "version": "= 3.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user\u0027s access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user. Instead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing requests, you can use the `HttpConext.GetUserAccessTokenAsync` extension method or the `IUserTokenManagementService.GetAccessTokenAsync` method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-07T23:36:16.989Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5"
        }
      ],
      "source": {
        "advisory": "GHSA-7mr7-4f54-vcx5",
        "discovery": "UNKNOWN"
      },
      "title": "HTTP Client uses incorrect token after refresh in Duende.AccessTokenManagement.OpenIdConnect"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51987",
    "datePublished": "2024-11-07T23:36:16.989Z",
    "dateReserved": "2024-11-04T17:46:16.774Z",
    "dateUpdated": "2024-11-08T15:57:51.304Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51987\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-08T00:15:15.233\",\"lastModified\":\"2024-11-08T19:01:03.880\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user\u0027s access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user. Instead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing requests, you can use the `HttpConext.GetUserAccessTokenAsync` extension method or the `IUserTokenManagementService.GetAccessTokenAsync` method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Duende.AccessTokenManagement.OpenIdConnect es un conjunto de librer\u00edas .NET que administran tokens de acceso de OAuth y OpenId Connect. Los clientes HTTP creados por `AddUserAccessTokenHttpClient` pueden usar el token de acceso de un usuario diferente despu\u00e9s de que se actualice el token. Esto ocurre porque un token actualizado se capturar\u00e1 en instancias `HttpClient` agrupadas, que pueden ser utilizadas por un usuario diferente. En lugar de usar `AddUserAccessTokenHttpClient` para crear un `HttpClient` que agregue autom\u00e1ticamente un token administrado a las solicitudes salientes, puede usar el m\u00e9todo de extensi\u00f3n `HttpConext.GetUserAccessTokenAsync` o el m\u00e9todo `IUserTokenManagementService.GetAccessTokenAsync`. Este problema se solucion\u00f3 en Duende.AccessTokenManagement.OpenIdConnect 3.0.1. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-270\"}]}],\"references\":[{\"url\":\"https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"HTTP Client uses incorrect token after refresh in Duende.AccessTokenManagement.OpenIdConnect\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-270\", \"lang\": \"en\", \"description\": \"CWE-270: Privilege Context Switching Error\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5\"}], \"affected\": [{\"vendor\": \"DuendeSoftware\", \"product\": \"Duende.AccessTokenManagement\", \"versions\": [{\"version\": \"= 3.0.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-07T23:36:16.989Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user\u0027s access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user. Instead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing requests, you can use the `HttpConext.GetUserAccessTokenAsync` extension method or the `IUserTokenManagementService.GetAccessTokenAsync` method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"source\": {\"advisory\": \"GHSA-7mr7-4f54-vcx5\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51987\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-08T15:57:43.125942Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-08T15:57:47.311Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-51987\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-11-04T17:46:16.774Z\", \"datePublished\": \"2024-11-07T23:36:16.989Z\", \"dateUpdated\": \"2024-11-08T15:57:51.304Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2024-51987

Vulnerability from fkie_nvd

Published

2024-11-08 00:15

Modified

2024-11-08 19:01

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user\u0027s access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user. Instead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing requests, you can use the `HttpConext.GetUserAccessTokenAsync` extension method or the `IUserTokenManagementService.GetAccessTokenAsync` method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Duende.AccessTokenManagement.OpenIdConnect es un conjunto de librer\u00edas .NET que administran tokens de acceso de OAuth y OpenId Connect. Los clientes HTTP creados por `AddUserAccessTokenHttpClient` pueden usar el token de acceso de un usuario diferente despu\u00e9s de que se actualice el token. Esto ocurre porque un token actualizado se capturar\u00e1 en instancias `HttpClient` agrupadas, que pueden ser utilizadas por un usuario diferente. En lugar de usar `AddUserAccessTokenHttpClient` para crear un `HttpClient` que agregue autom\u00e1ticamente un token administrado a las solicitudes salientes, puede usar el m\u00e9todo de extensi\u00f3n `HttpConext.GetUserAccessTokenAsync` o el m\u00e9todo `IUserTokenManagementService.GetAccessTokenAsync`. Este problema se solucion\u00f3 en Duende.AccessTokenManagement.OpenIdConnect 3.0.1. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2024-51987",
  "lastModified": "2024-11-08T19:01:03.880",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-08T00:15:15.233",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-270"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-7mr7-4f54-vcx5

Vulnerability from github

Published

2024-11-07 21:57

Modified

2024-11-08 13:55

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

HTTP Client uses incorrect token after refresh

Details

Impact

HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh. This occurs because a refreshed token will be captured in pooled HttpClient instances, which may be used by a different user.

Workarounds

Instead of using AddUserAccessTokenHttpClient to create an HttpClient that automatically adds a managed token to outgoing requests, you can use the HttpConext.GetUserAccessTokenAsync extension method or the IUserTokenManagementService.GetAccessTokenAsync method.

Patches

This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Duende.AccessTokenManagement.OpenIdConnect"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-270"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T21:57:52Z",
    "nvd_published_at": "2024-11-08T00:15:15Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nHTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user\u0027s access token after a token refresh. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user.\n\n### Workarounds\nInstead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing requests, you can use the `HttpConext.GetUserAccessTokenAsync` extension method or the `IUserTokenManagementService.GetAccessTokenAsync` method.\n\n### Patches\nThis issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1.\n\n",
  "id": "GHSA-7mr7-4f54-vcx5",
  "modified": "2024-11-08T13:55:27Z",
  "published": "2024-11-07T21:57:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/commit/09c73e32b182da5c6d7b55ec790cb2271cc4b63f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/releases/tag/3.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HTTP Client uses incorrect token after refresh"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-51987

Vulnerability from cvelistv5

fkie_cve-2024-51987

Vulnerability from fkie_nvd

ghsa-7mr7-4f54-vcx5

Vulnerability from github

Impact

Workarounds

Patches

Tags

Sightings

Nomenclature