CVE-2024-51987
CVSS 3.1 Score 5.4 of 10 (medium)
Details
Summary
CVE-2024-51987 is a vulnerability affecting Duende.AccessTokenManagement.OpenIdConnect, a set of .NET libraries used for managing OAuth and OpenId Connect access tokens. The issue lies in the `AddUserAccessTokenHttpClient` method, which can cause an `HttpClient` instance to use a different user's access token after a token refresh. This occurs because refreshed tokens are captured in pooled `HttpClient` instances, leading to potential unauthorized access. To mitigate this issue, developers are advised to use alternative methods such as `HttpContext.GetUserAccessTokenAsync` or `IUserTokenManagementService.GetAccessTokenAsync` instead. Duende.AccessTokenManagement.OpenIdConnect version 3.0.1 contains the necessary fixes for this vulnerability, and all users are encouraged to upgrade as soon as possible. No known workarounds are available for this issue.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.