Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2024-51987
Good to know:
Date: November 7, 2024
Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by "AddUserAccessTokenHttpClient" may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captured in pooled "HttpClient" instances, which may be used by a different user. Instead of using "AddUserAccessTokenHttpClient" to create an "HttpClient" that automatically adds a managed token to outgoing requests, you can use the "HttpConext.GetUserAccessTokenAsync" extension method or the "IUserTokenManagementService.GetAccessTokenAsync" method. This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Language: C#
Severity Score
Related Resources (6)
Severity Score
Weakness Type (CWE)
Privilege Context Switching Error
CWE-270Top Fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | REQUIRED |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | LOW |
| Availability (A): | NONE |