How severe is CVE-2024-49755?

This vulnerability has a severity rating of LOW with a CVSS score of 3.1 out of 10.

What type of vulnerability is CVE-2024-49755?

This is classified as CWE-287, which is a common weakness in software security.

CVE-2024-49755 - LOW Severity | CVSS 3.1

Vulnerability Description

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs.

Related Vulnerabilities

CVE-2018-12445

LOW

CVSS:3.1(Low)

An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from o...

CWE-2872018

CVE-2018-8862

LOW

CVSS:3.1(Low)

In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, an improper authentication vulnerability caused by specially crafted malicious radio transmissions ma...

CWE-2872018

CVE-2024-50341

LOW

CVSS:3.1(Low)

symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined...

CWE-2872024

CVE-2019-20533

LOW

CVSS:3.3(Low)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (released in China or India) software. The S Secure app can launch masked apps without a password. The Samsung ID is S...

CWE-2872019

CVE-2020-9077

LOW

CVSS:3.3(Low)

HUAWEI P30 smart phones with versions earlier than 10.1.0.160(C00E160R2P11) have an information exposure vulnerability. The system does not properly authenticate the application that access a specifie...

CWE-2872020

CVE-2020-9250

LOW

CVSS:3.3(Low)

There is an insufficient authentication vulnerability in some Huawei smart phone. An unauthenticated, local attacker can crafts software package to exploit this vulnerability. Due to insufficient veri...

CWE-2872020