Contact Us About Sponsorship

Questions about Micronaut Foundation sponsorship?

Please complete this form, and we’ll follow up with you shortly.

[hubspot type=form portal=4547412 id=a7b3ddfa-64b0-47fd-8358-45fa6a09456a]

Micronaut Security Oauth2: Improper Access Control Vulnerability

by Matthew Moss Tags:

The Micronaut team confirmed a security vulnerability found in the Micronaut Security Oauth2 dependency, identified and reported by Tommy Li. This vulnerability is assigned the identifier CVE-2023-36820.

Summary

When using a vulnerable version of micronaut-security-oauth2, the IdTokenClaimsValidator skips aud claim validation if the same authorization server issues the token.

Affected Versions

Micronaut Security versions greater or equal to 4.0.0 are not affected.

If you use a Micronaut Security version before 4.0.0, your Micronaut application may be affected. Details on the affected and patched versions are available in the GitHub Security Advisory.

Mitigation

Please upgrade to a patched version of micronaut-security-oauth2 as soon as possible.

If you cannot upgrade (for example, if you are still using Micronaut framework 2.x), you can patch your application by using the workaround provided in the GitHub Security Advisory.

More Info

The Micronaut Foundation and the Micronaut development team take application security very seriously. If you have questions about this vulnerability or need assistance on upgrades or workarounds, please see the discussion on GitHub or contact us at security@micronaut.io.