-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audience claim validation required if token contains a list of audiences only #274
Comments
Hey @kacper1112, this issue should be fixed in an upcoming release of Vault with #295. We're also planning to reserve a CVE since this posed a vulnerability. If you would like to be credited in the CVE, please reply back with how you would want it presented (e.g. kacper1112 or your full name). Thanks for the issue report! |
Hey @mcollao-hc, thanks for resolving this. If that's still viable I would appreciate being credited with my full name - Kacper Stysiński. |
Fixed by #295 |
Hey @fairclothjm, @mcollao-hc are you still planning to / already had reserved a CVE for this issue? Just curious, thanks. |
Hey @kacper1112, CVE-2024-5798 is assigned to this. Will be made public soon. |
Hi,
I ran into this issue when preparing my Vault configuration for the upcoming GitLab 17 update. See this issue for more context.
According to RFC 7519
My understanding is, that if the claim is present in the token, it has to be validated. The problem is that Vault only enforces this rule if the value of
aud
is an array. If the value ofaud
is a plain string, andbound_audiences
is not set on the auth role, the token is accepted.With the following configuration:
An attempt to login with a JWT (assuming
iss
and otherbound_claims
match) where"aud": "https://my.gitlab.com"
will pass"aud": [ "https://my.gitlab.com" ]
will fail withaudience claim found in JWT but no audiences bound to the role
Is this expected behaviour? Could not find any note in the documentation and it also does not seem right looking at the RFC.
Tested with Vault 1.14.8 and 1.15.5.
The text was updated successfully, but these errors were encountered: