#VU69935 Improper Verification of Cryptographic Signature in pac4j - CVE-2021-44878
Published: December 6, 2022
Vulnerability identifier: #VU69935
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-44878
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
pac4j
pac4j
Software vendor:
pac4j
pac4j
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists if an OpenID Connect provider supports the "none" algorithm, then pac4j does not refuse it without an explicit configuration on its side or for the "idtoken" response type. A remote attacker can bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.
Remediation
Install updates from vendor's website.