Is CVE-2021-44878 actively exploited?

CVE-2021-44878 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2021-44878?

CVE-2021-44878 has a CVSS score of 7.5 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

How do I patch CVE-2021-44878?

Patch guidance is available from pac4j security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2021-44878.

Which products are affected by CVE-2021-44878?

2 products: pac4j pac4j, pac4j pac4j.

Fix CVE-2021-44878 - HIGH pac4j pac4j

Description

If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: none
Weaknesses: CWE-347

Metadata

Primary Vendor: PAC4J
Published: 1/6/2022
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2021-44878

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary