{"id":"CVE-2024-21643","summary":"Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability","details":"IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Anyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValidator`is vulnerable. Microsoft.IdentityModel trusts the `jku`claim by default for the `SignedHttpRequest`protocol. This raises the possibility to make any remote or local `HTTP GET` request. The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher.","aliases":["GHSA-rv9j-c866-gp5h"],"modified":"2026-04-10T04:13:00.142669Z","published":"2024-01-10T04:13:16.959Z","database_specific":{"cwe_ids":["CWE-94"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21643.json"},"references":[{"type":"WEB","url":"https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0"},{"type":"WEB","url":"https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2"},{"type":"WEB","url":"https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/jkucve"},{"type":"ADVISORY","url":"https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-rv9j-c866-gp5h"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21643.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21643"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet","events":[{"introduced":"0"},{"fixed":"edcac4427888840847c65695e4e5a80516664869"},{"introduced":"bf4cb251a85f1b27bbb208c703f6f3105bdb24ca"},{"fixed":"a607fa5e0005a6178cf1d2fed4fa0f8179cdb186"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.34.0"},{"introduced":"7.0.0"},{"fixed":"7.1.2"}]}},{"type":"GIT","repo":"https://github.com/azuread/azure-activedirectory-identitymodel-extensions-for-dotnet","events":[{"introduced":"0"},{"fixed":"edcac4427888840847c65695e4e5a80516664869"},{"fixed":"a607fa5e0005a6178cf1d2fed4fa0f8179cdb186"}]}],"versions":["5.4.0","6.10.1","6.11.0","6.11.1","6.12.0","6.12.1","6.12.2","6.13.0","6.13.1","6.14.1","6.15.1","6.16.0","6.17.0","6.18.0","6.19.0","6.20.0","6.22.1","6.23.0","6.23.1","6.24.0","6.25.0","6.25.1","6.26.0","6.27.0","6.28.0","6.28.1","6.29.0","6.30.0","6.30.1","6.31.0","6.32.1","6.32.2","6.32.3","6.5.0","6.5.1","6.6.0","6.7.0","6.7.1","6.9.0","v6.32.0","v6.33.0","v6.5.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21643.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"}]}