The Micronaut team confirmed a security vulnerability found in the Micronaut Security Oauth2 dependency, identified and reported by Tommy Li. This vulnerability is assigned the identifier CVE-2023-36820.
When using a vulnerable version of
aud claim validation if the same authorization server issues the token.
Micronaut Security versions greater or equal to 4.0.0 are not affected.
If you use a Micronaut Security version before 4.0.0, your Micronaut application may be affected. Details on the affected and patched versions are available in the GitHub Security Advisory.
Please upgrade to a patched version of
micronaut-security-oauth2 as soon as possible.
If you cannot upgrade (for example, if you are still using Micronaut framework 2.x), you can patch your application by using the workaround provided in the GitHub Security Advisory.
The Micronaut Foundation and the Micronaut development team take application security very seriously. If you have questions about this vulnerability or need assistance on upgrades or workarounds, please see the discussion on GitHub or contact us at email@example.com.