We recently published Duende.AccessTokenManagement.OpenIdConnect 3.0.1, a security hotfix which addresses CVE-2024-51987, a medium-severity security issue that can cause refreshed access tokens to be cached and used for the wrong user.
We encourage everyone using Duende.AccessTokenManagement.OpenIdConnect 3.0.0 to update to version 3.0.1.
This issue was introduced in version 3.0.0, as part of our efforts to make the library
more useful in scenarios where there may not always be incoming HTTP requests. Previously
we had resolved certain dependencies for HttpClients on the fly from the HttpContext's
service collection. This made it impossible to use the HttpClient convenience methods in
applications that don't always have an incoming HTTP request, such as a Blazor application
using the Server or Auto render mode. When we changed how we resolve those services, we
introduced this issue, which causes the HttpClient to hold on to refreshed access tokens
across incoming HTTP requests. This means that an application might make API requests with
the wrong user's token after tokens are refreshed.
An attacker with a user in the system could potentially exploit this to cause the application to make API requests as a different user. Somewhat mitigating the severity of this attack is that the attacker will be unable to control which user's token is used and for how long. We assess this issue as medium severity, with a CVSS v3.1 score of 5.4/10.
This issue was reported to us by Nate Laff. Thank you Nate for your help and for disclosing this issue responsibly. We always encourage bug reports from the community. General issues can be submitted to the developer community, while security issues should be reported privately to security@duendesoftware.com.
Again, we encourage everyone to update to Duende.AccessTokenManagement.OpenIdConnect 3.0.1. See the security advisory for more details, and if you have further questions, please email the Duende Security team at security@duendesoftware.com.
Thanks for stopping by!
We hope this post helped you on your identity and security journey. If you need a hand with implementation, our docs are always open. For everything else, come hang out with the team and other developers on GitHub.
If you want to get early access to new features and products while collaborating with experts in security and identity standards, join us in our Duende Product Insiders program. And if you prefer your tech content in video form, our YouTube channel is the place to be. Don't forget to like and subscribe!
Questions? Comments? Just want to say hi? Leave a comment below and let's start a conversation.