CVE-2021-44878

Token validation bypass in Pac4j in maven/org.pac4j/pac4j-core

Identifiers

GHSA-xhw6-hjc9-679m, CVE-2021-44878

Package Slug

maven/org.pac4j/pac4j-core

Vulnerability

Token validation bypass in Pac4j

Description

Pac4j v5.1 and earlier allows (by default) clients to accept and successfully validate ID Tokens with "none" algorithm (i.e., tokens with no signature) which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.

Affected Versions

All versions before 5.2.0

Solution

Upgrade to version 5.2.0 or above.

Last Modified

2022-01-11

source