Vulnerability Details : CVE-2021-44878
If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.
Products affected by CVE-2021-44878
- cpe:2.3:a:pac4j:pac4j:*:*:*:*:*:*:*:*
- cpe:2.3:a:pac4j:pac4j:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-44878
0.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 1 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-44878
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-44878
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-44878
-
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
Final: OpenID Connect Core 1.0 incorporating errata set 1Product;Third Party Advisory
-
https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html
pac4j: security for JavaMitigation;Vendor Advisory
-
https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae
reinforce security on OIDC · pac4j/pac4j@22b82ff · GitHubPatch;Third Party Advisory
Jump to