Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability
Vulnerability Description
IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Anyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValidator`is vulnerable. Microsoft.IdentityModel trusts the `jku`claim by default for the `SignedHttpRequest`protocol. This raises the possibility to make any remote or local `HTTP GET` request. The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Microsoft Azure IdentityModel 代码注入漏洞
Vulnerability Description
Microsoft Azure是美国微软(Microsoft)公司的一套开放的企业级云计算平台。 Microsoft Azure IdentityModel 存在代码注入漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
CVSS Information
N/A
Vulnerability Type
N/A