JWT Signature Validation Vulnerability in Amazon ALB
CVE-2024-10125

6.9MEDIUM

Key Information:

Vendor: Amazon
Status: Amazon.applicationloadbalancer.identity.aspnetcore Middleware
Vendor: CVE Published:; 22 October 2024

What is CVE-2024-10125?

A vulnerability in the Amazon Application Load Balancer's integration with the ASP.NET Core framework could potentially expose deployments to risks associated with improper validation of JWT tokens. The middleware responsible for handling JWT signature validation does not adequately assess the issuer and signer identity. This oversight could allow an untrusted entity to produce valid JWT tokens, particularly in scenarios where the Application Load Balancer targets are accessible over the internet. As a precaution, it is advised to ensure that all ELB targets do not possess public IP addresses and to verify that any derivative code appropriately checks the signer attribute against the ALB's ARN. The affected middleware has been deprecated and is no longer supported, emphasizing the need for robust security practices in OIDC-federated sessions.

Affected Version(s)

Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware all

References

https://aws.amazon.com/security/security-bulletins/AWS-20...

vendor-advisory

https://github.com/awslabs/aws-alb-identity-aspnetcore/se...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2024

JSON