6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-36820

GHSA ID

GHSA-qw22-8w9r-864h

EPSS Score

0.51431%

CWE

CWE-284

Published

10/5/2023

Updated

11/8/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-36820

CVE-2023-36820: io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud

Summary

IdTokenClaimsValidator skips aud claim validation if token is issued by same identity issuer/provider.

Details

See https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202

This logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.

Workaround exists by setting micronaut.security.token.jwt.claims-validators.audience with valid values. micronaut.security.token.jwt.claims-validators.openid-idtoken can be kept as default on.

PoC

Should probably be:

                return issuer.equalsIgnoreCase(iss) &&
                        audiences.contains(clientId) &&
                                validateAzp(claims, clientId, audiences);

Impact

Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.

Mitigation

Please upgrade to a patched micronaut-security-oauth2 release as soon as possible.

If you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of IdTokenClaimsValidatorReplacement

package cve;

import io.micronaut.context.annotation.Replaces;
import io.micronaut.context.annotation.Requires;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.util.StringUtils;
import io.micronaut.security.config.SecurityConfigurationProperties;
import io.micronaut.security.oauth2.client.IdTokenClaimsValidator;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration;
import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
import io.micronaut.security.token.jwt.validator.JwtClaimsValidatorConfigurationProperties;

import javax.inject.Singleton;
import java.net.URL;
import java.util.Collection;
import java.util.List;
import java.util.Optional;

@Requires(property = SecurityConfigurationProperties.PREFIX + ".authentication", value = "idtoken")
@Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + ".openid-idtoken", notEquals = StringUtils.FALSE)
@Singleton
@Replaces(IdTokenClaimsValidator.class)
public class IdTokenClaimsValidatorReplacement extends IdTokenClaimsValidator {
    public IdTokenClaimsValidatorReplacement(Collection<OauthClientConfiguration> oauthClientConfigurations) {
        super(oauthClientConfigurations);
    }

    @Override
    protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims,
                                                   @NonNull String iss,
                                                   @NonNull List<String> audiences,
                                                   @NonNull String clientId,
                                                   @NonNull OpenIdClientConfiguration openIdClientConfiguration) {
        if (openIdClientConfiguration.getIssuer().isPresent()) {
            Optional<URL> issuerOptional = openIdClientConfiguration.getIssuer();
            if (issuerOptional.isPresent()) {
                String issuer = issuerOptional.get().toString();
                return issuer.equalsIgnoreCase(iss) &&
                        audiences.contains(clientId) &&
                                validateAzp(claims, clientId, audiences);
            }
        }
        return false;
    }
}
``

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-36820

GHSA ID

GHSA-qw22-8w9r-864h

EPSS Score

0.51431%

CWE

CWE-284

Published

10/5/2023

Updated

11/8/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.11.0, < 3.11.1	3.11.1
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.10.0, < 3.10.2	3.10.2
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.9.0, < 3.9.6	3.9.6
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.8.0, < 3.8.4	3.8.4
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.7.0, < 3.7.4	3.7.4
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.6.0, < 3.6.6	3.6.6
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.5.0, < 3.5.3	3.5.3
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.4.0, < 3.4.3	3.4.3
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.3.0, < 3.3.2	3.3.2
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.2.0, < 3.2.4	3.2.4
io.micronaut.security:micronaut-security-oauth2	maven	>= 3.1.0, < 3.1.2	3.1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from line 202 in IdTokenClaimsValidator.java where the validation logic incorrectly used 'issuer.equalsIgnoreCase(iss) || audiences.contains(clientId)' instead of requiring both conditions. The commit diff shows this was changed from || to &&, proving this was the vulnerable code path. This function is directly responsible for ID Token claim validation as per OIDC specifications, and the flawed logic allowed audience claim bypass when issuer matched.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry I*Tok*n*l*imsV*li**tor skips `*u*` *l*im v*li**tion i* tok*n is issu** *y s*m* i**ntity issu*r/provi**r. ### **t*ils S** *ttps://*it*u*.*om/mi*ron*ut-proj**ts/mi*ron*ut-s**urity/*lo*/m*st*r/s**urity-o*ut**/sr*/m*in/j*v*/io/mi*ron*ut/s*

Reasoning

T** vuln*r**ility st*ms *rom lin* *** in I*Tok*n*l*imsV*li**tor.j*v* w**r* t** v*li**tion lo*i* in*orr**tly us** 'issu*r.*qu*lsI*nor***s*(iss) || *u*i*n**s.*ont*ins(*li*ntI*)' inst*** o* r*quirin* *ot* *on*itions. T** *ommit *i** s*ows t*is w*s ***n*

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-36820: io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud

Summary

Details

PoC

Impact

Mitigation

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI