CVE-2021-44878

Published: Jan 6, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.

Affected (2)

Products: Pac4j: Pac4j

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Pac4j Pac4j	Before 4.5.5
Pac4j Pac4j	From 5.0.0 to 5.3.1

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae

Source: cve@mitre.org

PatchThird Party Advisory

https://openid.net/specs/openid-connect-core-1_0.html#IDToken

Source: cve@mitre.org

ProductThird Party Advisory

https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html

Source: cve@mitre.org

MitigationVendor Advisory

https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://openid.net/specs/openid-connect-core-1_0.html#IDToken

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.