GHSA-55p7-v223-x366: IdentityServer Open Redirect vulnerability
4.7
CVSS Score
3.1
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
Published
7/31/2024
Updated
7/31/2024
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| IdentityServer4 | nuget | <= 4.1.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The advisory explicitly lists these methods across multiple classes (DefaultIdentityServerInteractionService, ServerUrlExtensions, ReturnUrlParser, OidcReturnUrlParser) as having improper URL validation logic. All listed functions either: 1) Return non-null results for malicious URLs indicating trust, or 2) Return true from validation() checks for crafted URLs. The confidence is high because the functions are directly named in multiple authoritative sources (GitHub Security Advisories, NVD), and the vulnerability pattern matches CWE-601 (Open Redirect) through improper URL validation.