CVE-2024-21319 (Medium) detected in microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg, system.identitymodel.tokens.jwt.5.5.0.nupkg #22

mend-bolt-for-github · 2024-01-14T13:19:23Z

CVE-2024-21319 - Medium Severity Vulnerability

Vulnerable Libraries - microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg, system.identitymodel.tokens.jwt.5.5.0.nupkg

microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg

Includes types that provide support for creating, serializing and validating JSON Web Tokens.

Library home page: https://api.nuget.org/packages/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg

Path to dependency file: /src/Test/Desktop/OpenRiaServices.Common.DomainServices.Test/OpenRiaServices.Common.DomainServices.Test.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/5.5.0/microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg

Dependency Hierarchy:

EFCoreModels-1.0.0 (Root Library)
- microsoft.entityframeworkcore.sqlserver.3.1.32.nupkg
  - microsoft.data.sqlclient.1.1.3.nupkg
    - microsoft.identitymodel.protocols.openidconnect.5.5.0.nupkg
      - system.identitymodel.tokens.jwt.5.5.0.nupkg
        
        ❌ microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg (Vulnerable Library)

system.identitymodel.tokens.jwt.5.5.0.nupkg

Includes types that provide support for creating, serializing and validating JSON Web Tokens.

Library home page: https://api.nuget.org/packages/system.identitymodel.tokens.jwt.5.5.0.nupkg

Path to dependency file: /src/OpenRiaServices.Server.UnitTesting/Test/OpenRiaServices.Server.UnitTesting.Test.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg,/home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/5.5.0/system.identitymodel.tokens.jwt.5.5.0.nupkg

Dependency Hierarchy:

EFCoreModels-1.0.0 (Root Library)
- microsoft.entityframeworkcore.sqlserver.3.1.32.nupkg
  - microsoft.data.sqlclient.1.1.3.nupkg
    - microsoft.identitymodel.protocols.openidconnect.5.5.0.nupkg
      - ❌ system.identitymodel.tokens.jwt.5.5.0.nupkg (Vulnerable Library)

Found in HEAD commit: 049dcf89af74909dfa914cd5044d3f836d134b3a

Found in base branch: main

Vulnerability Details

Microsoft Identity Denial of service vulnerability

Publish Date: 2024-01-09

URL: CVE-2024-21319

CVSS 3 Score Details (6.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8g9c-28fc-mcx2

Release Date: 2024-01-09

Fix Resolution: System.IdentityModel.Tokens.Jwt - 5.7.0,6.34.0,7.1.2, Microsoft.IdentityModel.JsonWebTokens - 5.7.0,6.34.0,7.1.2

Step up your Open Source Security Game with Mend here

mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Jan 14, 2024

mend-bolt-for-github bot changed the title ~~CVE-2024-21319 (Medium) detected in multiple libraries~~ CVE-2024-21319 (Medium) detected in microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg, system.identitymodel.tokens.jwt.5.5.0.nupkg Nov 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-21319 (Medium) detected in microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg, system.identitymodel.tokens.jwt.5.5.0.nupkg #22

CVE-2024-21319 (Medium) detected in microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg, system.identitymodel.tokens.jwt.5.5.0.nupkg #22

mend-bolt-for-github bot commented Jan 14, 2024 •

edited

Loading

CVE-2024-21319 (Medium) detected in microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg, system.identitymodel.tokens.jwt.5.5.0.nupkg #22

CVE-2024-21319 (Medium) detected in microsoft.identitymodel.jsonwebtokens.5.5.0.nupkg, system.identitymodel.tokens.jwt.5.5.0.nupkg #22

Comments

mend-bolt-for-github bot commented Jan 14, 2024 • edited Loading

CVE-2024-21319 - Medium Severity Vulnerability

mend-bolt-for-github bot commented Jan 14, 2024 •

edited

Loading