Advisories for Nuget/Microsoft.IdentityModel.Protocols.SignedHttpRequest package

2024

Improper Control of Generation of Code ('Code Injection')

IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Anyone leveraging the SignedHttpRequestprotocol or the SignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts the jkuclaim by default for the SignedHttpRequestprotocol. This raises the possibility to make any remote or local HTTP GET request. The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or …