fkie_cve-2025-27370
Vulnerability from fkie_nvd
Published
2025-03-03 18:15
Modified
2025-04-25 15:15
Severity ?
6.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
Summary
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.
References
cve@mitre.orghttps://eprint.iacr.org/2025/629
cve@mitre.orghttps://github.com/OWASP/ASVS/issues/2678
cve@mitre.orghttps://openid.net/notice-of-a-security-vulnerability/
cve@mitre.orghttps://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf
cve@mitre.orghttps://talks.secworkshop.events/osw2025/talk/R8D9BS/
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client."
    },
    {
      "lang": "es",
      "value": "OpenID Connect Core a trav\u00e9s del conjunto de erratas 1.0 2 permite la inyecci\u00f3n de audiencia en determinadas situaciones. Cuando se utiliza el mecanismo de autenticaci\u00f3n private_key_jwt, un servidor de autorizaci\u00f3n malintencionado podr\u00eda enga\u00f1ar a un cliente para que escriba valores controlados por el atacante en la audiencia, incluidos endpoints de token o identificadores de emisor de otros servidores de autorizaci\u00f3n. El servidor de autorizaci\u00f3n malintencionado podr\u00eda entonces utilizar estos JWT de clave privada para hacerse pasar por el cliente."
    }
  ],
  "id": "CVE-2025-27370",
  "lastModified": "2025-04-25T15:15:35.820",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.7,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-03T18:15:40.650",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://eprint.iacr.org/2025/629"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/OWASP/ASVS/issues/2678"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://openid.net/notice-of-a-security-vulnerability/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://talks.secworkshop.events/osw2025/talk/R8D9BS/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-305"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.