CVE-2024-10125: Missing JWT Issuer Validation in AWS ALB Identity ASP.NET Core

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: CVE-2024-10125 2. Vulnerability Name: missing JWT issuer and signer validation in aws-alb-identity-aspnetcore 3. Release Date: October 21, 2024, at 4:00 PM Pacific Standard Time 4. Description: - Affected Component: Amazon.ApplicationLoadBalancer.Identity.AspNetCore - Affected Scenarios: ASP.NET Core deployments integrated with Application Load Balancer (ALB) OpenID Connect, including AWS Fargate, Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Compute Cloud (Amazon EC2), and AWS Lambda. - Issue: The JWT processing code fails to validate the JWT issuer and signer identity during signature verification. When combined with scenarios where infrastructure owners allow internet traffic to ALB targets (an unsupported configuration), this could enable unauthorized entities to sign JWTs, potentially allowing valid OIDC authentication to ALB targets. 5. Affected Versions: All versions 6. Remediation: - Repository/Package: Deprecated and end-of-life; no longer supported. - Workarounds: - Ensure your ELB targets (e.g., EC2 instances, Fargate tasks, etc.) do not have public IP addresses. - Ensure any forked or derived code validates that the signer claim in the JWT matches the ALB ARN configured in the service. This information helps understand the nature, scope of impact, and mitigation or avoidance strategies for the vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-10125: Missing JWT Issuer Validation in AWS ALB Identity ASP.NET Core