You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/4.0.0-RC3/pac4j-oidc-4.0.0-RC3.jar,/home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/4.0.0-RC3/pac4j-oidc-4.0.0-RC3.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/4.0.0-RC3/pac4j-oidc-4.0.0-RC3.jar,/home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/4.0.0-RC3/pac4j-oidc-4.0.0-RC3.jar
If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.
Vulnerable Library - pac4j-oidc-4.0.0-RC3.jar
Profile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/4.0.0-RC3/pac4j-oidc-4.0.0-RC3.jar,/home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/4.0.0-RC3/pac4j-oidc-4.0.0-RC3.jar
Found in HEAD commit: 97d18a56dfc9d482e0ac2ae24230edd85457b90b
Vulnerabilities
Details
CVE-2021-44878
Vulnerable Library - pac4j-oidc-4.0.0-RC3.jar
Profile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/4.0.0-RC3/pac4j-oidc-4.0.0-RC3.jar,/home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/4.0.0-RC3/pac4j-oidc-4.0.0-RC3.jar
Dependency Hierarchy:
Found in HEAD commit: 97d18a56dfc9d482e0ac2ae24230edd85457b90b
Found in base branch: master
Vulnerability Details
If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.
Publish Date: 2022-01-06
URL: CVE-2021-44878
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44878
Release Date: 2022-01-06
Fix Resolution: 4.5.5
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: