HTTP Client uses incorrect token after refresh

Impact

HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh. This occurs because a refreshed token will be captured in pooled HttpClient instances, which may be used by a different user.

Workarounds

Instead of using AddUserAccessTokenHttpClient to create an HttpClient that automatically adds a managed token to outgoing requests, you can use the HttpConext.GetUserAccessTokenAsync extension method or the IUserTokenManagementService.GetAccessTokenAsync method.

Patches

This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1.

References

josephdecock published to DuendeArchive/Duende.AccessTokenManagement Nov 7, 2024

Published to the GitHub Advisory Database Nov 7, 2024

Reviewed Nov 7, 2024

Published by the National Vulnerability Database Nov 8, 2024

Last updated Nov 8, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Workarounds

Patches

References

Severity

CVSS overall score

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Privilege Context Switching Error

CVE ID

GHSA ID

Source code

Credits

Uh oh!