CVE-2024-10125 – The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo …

22 October 2024

Vuln ID: CVE-2024-10125

Published: 2024-10-22 00:15:02.457

Description: The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET http://asp.net/ Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.

Base Score: 7.5 – HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

Source: NVD.NIST.GOV

Date:

22 October 2024

Categorie(s):

NVD

Tag(s):

NVD

Pixel perfect Ghostpulse malware loader hides inside PNG image files22 October 2024
CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack22 October 2024
IT security and government services: Balancing transparency and security22 October 2024
Phishing scams and malicious domains take center stage as the US election approaches22 October 2024
Myths holding women back from cybersecurity careers22 October 2024