-
Notifications
You must be signed in to change notification settings - Fork 409
jkucve
This is related to CVE Remote code execution vulnerability in Microsoft.IdentityModel.Protocols.SignedHttpRequest.
Anyone leveraging the SignedHttpRequest Protocol or the SignedHttpRequestValidator classes, released in Microsoft.IdentityModel.Protocols.SignedHttpRequest is vulnerable. Microsoft.IdentityModel trusts the jku claim by default for the SignedHttpRequest protocol. This raises the possibility to make any remote or local HTTP GET request.
Without upgrading you can disable or filter outbound http requests at the firewall.
After upgrading if your service requires the use of the jku claim the only potentially safe way to do this is to limit the domains which you trust.
Microsoft.IdentityModel.Protocols.SignedHttpRequest's SignedHttpRequestValidationParameters now exposes two new properties:
-
AllowResolvingPopKeyFromJkuwhich defaults to false and controls whether or not thePoPkey can ever be resolved from thejkuclaim. - If the above is ever set to
true, you will also have to update the second new property,AllowedDomainsForJkuRetrievalwhich is the set of domains that you trust. Any domains in this list will be considered fully trusted as they can pass keys to influencePoPkey validation.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over