Impact
What kind of vulnerability is it? Who is impacted?
Anyone leveraging the SignedHttpRequestprotocol or the SignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts the jkuclaim by default for the SignedHttpRequestprotocol. This raises the possibility to make any remote or local HTTP GET request.
Patches
Has the problem been patched? What versions should users upgrade to?
The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No, users must upgrade.
References
Are there any links users can visit to find out more?
https://aka.ms/IdentityModel/Jan2024/jku
rymeskar Finder
brentschmaltz Remediation reviewer
GeoK Remediation developer
keegan-caruso Remediation reviewer
jmprieur Coordinator
jennyf19 Coordinator
TimHannMSFT Remediation reviewer
Impact
What kind of vulnerability is it? Who is impacted?
Anyone leveraging the
SignedHttpRequestprotocol or theSignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts thejkuclaim by default for theSignedHttpRequestprotocol. This raises the possibility to make any remote or localHTTP GETrequest.Patches
Has the problem been patched? What versions should users upgrade to?
The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, if using Microsoft.IdentityModel.Protocols.SignedHttpRequest.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No, users must upgrade.
References
Are there any links users can visit to find out more?
https://aka.ms/IdentityModel/Jan2024/jku