CVE-2024-39694

July 31, 2024, 4:15 p.m.

4.7
Medium

Description

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site. Note: by itself, this vulnerability does **not** allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials. This vulnerability is fixed in 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5. Duende.IdentityServer 5.1 and earlier and all versions of IdentityServer4 are no longer supported and will not be receiving updates. If upgrading is not possible, use `IUrlHelper.IsLocalUrl` from ASP.NET Core to validate return Urls in user interface code in the IdentityServer host.

Product(s) Impacted

Product Versions
Duende IdentityServer
  • 7.0.6
  • 6.3.10
  • 6.2.5
  • 6.1.8
  • 6.0.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/DuendeSoftware/IdentityServer/commit/269ca2171fe1e901c87f2f0797bbc7c230db87c6
https://github.com/DuendeSoftware/IdentityServer/commit/765116a2d4fb0671b6eba015e698533900c61c8e
https://github.com/DuendeSoftware/IdentityServer/commit/d0d8eab35ad9183b14925496803ed8b36658d0a1
https://github.com/DuendeSoftware/IdentityServer/commit/f04cf0be859b93f43563f8f812eb92206ad94011
https://github.com/DuendeSoftware/IdentityServer/commit/fe817b499933d6ed6141b153492d7335c28b184a
https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-ff4q-64jc-gx98

Tags

security-advisories@github.com
CWE-601
2024-07-31
CVE-2024-39694

CVSS Score

4.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

    View Vector String

Timeline

Published: July 31, 2024, 4:15 p.m.
Last Modified: July 31, 2024, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.