CVE-2024-51987
November 07, 2024
Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by "AddUserAccessTokenHttpClient" may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled "HttpClient" instances, which may be used by a different user. Instead of using "AddUserAccessTokenHttpClient" to create an "HttpClient" that automatically adds a managed token to outgoing requests, you can use the "HttpConext.GetUserAccessTokenAsync" extension method or the "IUserTokenManagementService.GetAccessTokenAsync" method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Privilege Context Switching Error
EPSS
Base Score:
0.11
