JWT Signature Validation Vulnerability in Amazon ALB
CVE-2024-10125

7.5HIGH

Key Information:

Vendor: Amazon
Status: Amazon.applicationloadbalancer.identity.aspnetcore Middleware
Vendor: CVE Published:; 22 October 2024

What is CVE-2024-10125?

A vulnerability in the Amazon Application Load Balancer's integration with the ASP.NET Core framework could potentially expose deployments to risks associated with improper validation of JWT tokens. The middleware responsible for handling JWT signature validation does not adequately assess the issuer and signer identity. This oversight could allow an untrusted entity to produce valid JWT tokens, particularly in scenarios where the Application Load Balancer targets are accessible over the internet. As a precaution, it is advised to ensure that all ELB targets do not possess public IP addresses and to verify that any derivative code appropriately checks the signer attribute against the ALB's ARN. The affected middleware has been deprecated and is no longer supported, emphasizing the need for robust security practices in OIDC-federated sessions.

Affected Version(s)

Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware all

References

https://aws.amazon.com/security/security-bulletins/AWS-20...

vendor-advisory

https://github.com/awslabs/aws-alb-identity-aspnetcore/se...

third-party-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 22, 2024