Description
Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.
Remediation
References
https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980
https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h
Related Vulnerabilities
CVE-2023-3691 Vulnerability in maven package org.webjars.npm:layui
CVE-2022-36897 Vulnerability in maven package com.compuware.jenkins:compuware-xpediter-code-coverage
CVE-2022-42004 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2020-13822 Vulnerability in maven package org.webjars.npm:elliptic
CVE-2020-15232 Vulnerability in maven package org.mapfish.print:print-lib