Miggo Logo
Miggo Vulnerability Database
GHSA-55p7-v223-x366

GHSA-55p7-v223-x366: IdentityServer Open Redirect vulnerability

4.7

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-55p7-v223-x366
EPSS Score
-
CWE
CWE-601
Published
7/31/2024
Updated
7/31/2024
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
IdentityServer4nuget<= 4.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly lists these methods across multiple classes (DefaultIdentityServerInteractionService, ServerUrlExtensions, ReturnUrlParser, OidcReturnUrlParser) as having improper URL validation logic. All listed functions either: 1) Return non-null results for malicious URLs indicating trust, or 2) Return true from validation() checks for crafted URLs. The confidence is high because the functions are directly named in multiple authoritative sources (GitHub Security Advisories, NVD), and the vulnerability pattern matches CWE-601 (Open Redirect) through improper URL validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* *or *n *tt**k*r to *r**t m*li*ious Urls t**t **rt*in *un*tions in I**ntityS*rv*r will in*orr**tly tr**t *s lo**l *n* trust**. I* su** * Url is r*turn** *s * r**ir**t, som* *rows*rs will *ollow it to * t*ir*-p*rty, untrust**

Reasoning

T** **visory *xpli*itly lists t**s* m*t*o*s **ross multipl* *l*ss*s (****ultI**ntityS*rv*rInt*r**tionS*rvi**, S*rv*rUrl*xt*nsions, R*turnUrlP*rs*r, Oi**R*turnUrlP*rs*r) *s **vin* improp*r URL v*li**tion lo*i*. *ll list** *un*tions *it**r: *) R*turn n