CVE-2024-21319 (Medium) detected in system.identitymodel.tokens.jwt.6.10.0.nupkg, microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg #350

mend-bolt-for-github · 2024-03-14T21:34:26Z

CVE-2024-21319 - Medium Severity Vulnerability

Vulnerable Libraries - system.identitymodel.tokens.jwt.6.10.0.nupkg, microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg

system.identitymodel.tokens.jwt.6.10.0.nupkg

Includes types that provide support for creating, serializing and validating JSON Web Tokens.

Library home page: https://api.nuget.org/packages/system.identitymodel.tokens.jwt.6.10.0.nupkg

Path to dependency file: /RpiHost/RpiHost.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/6.10.0/system.identitymodel.tokens.jwt.6.10.0.nupkg

Dependency Hierarchy:

microsoft.aspnetcore.authentication.jwtbearer.6.0.13.nupkg (Root Library)
- microsoft.identitymodel.protocols.openidconnect.6.10.0.nupkg
  - ❌ system.identitymodel.tokens.jwt.6.10.0.nupkg (Vulnerable Library)

microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg

Includes types that provide support for creating, serializing and validating JSON Web Tokens.

Library home page: https://api.nuget.org/packages/microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg

Path to dependency file: /RpiHost/RpiHost.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.10.0/microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg

Dependency Hierarchy:

microsoft.aspnetcore.authentication.jwtbearer.6.0.13.nupkg (Root Library)
- microsoft.identitymodel.protocols.openidconnect.6.10.0.nupkg
  - system.identitymodel.tokens.jwt.6.10.0.nupkg
    - ❌ microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg (Vulnerable Library)

Found in HEAD commit: be31a362993231eadd76d681bb590409ec06ec9f

Found in base branch: master

Vulnerability Details

Microsoft Identity Denial of service vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-21319

CVSS 3 Score Details (6.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8g9c-28fc-mcx2

Release Date: 2024-01-09

Fix Resolution: System.IdentityModel.Tokens.Jwt - 5.7.0,6.34.0,7.1.2, Microsoft.IdentityModel.JsonWebTokens - 5.7.0,6.34.0,7.1.2

Step up your Open Source Security Game with Mend here

mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Mar 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-21319 (Medium) detected in system.identitymodel.tokens.jwt.6.10.0.nupkg, microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg #350

CVE-2024-21319 (Medium) detected in system.identitymodel.tokens.jwt.6.10.0.nupkg, microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg #350

mend-bolt-for-github bot commented Mar 14, 2024

CVE-2024-21319 (Medium) detected in system.identitymodel.tokens.jwt.6.10.0.nupkg, microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg #350

CVE-2024-21319 (Medium) detected in system.identitymodel.tokens.jwt.6.10.0.nupkg, microsoft.identitymodel.jsonwebtokens.6.10.0.nupkg #350

Comments

mend-bolt-for-github bot commented Mar 14, 2024

CVE-2024-21319 - Medium Severity Vulnerability