{"id":"CVE-2021-44878","details":"If an OpenID Connect provider supports the \"none\" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the \"idtoken\" response type which is not secure and violates the OpenID Core Specification. The \"none\" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using \"none\" as the value of \"alg\" key in the header with an empty signature value.","aliases":["GHSA-xhw6-hjc9-679m"],"modified":"2026-04-11T16:26:26.771140Z","published":"2022-01-06T13:15:08.180Z","references":[{"type":"ADVISORY","url":"https://openid.net/specs/openid-connect-core-1_0.html#IDToken"},{"type":"ADVISORY","url":"https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html"},{"type":"FIX","url":"https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pac4j/pac4j","events":[{"introduced":"0"},{"fixed":"a1ae387ce42b09ffa114065f8782061404be4cf4"},{"introduced":"c4aa7948f21985f9acc6778414afc9719c79befb"},{"fixed":"b0a017fe116d5dd0420838971cd02badbdeeb478"},{"fixed":"22b82ffd702a132d9f09da60362fc6264fc281ae"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.5.5"},{"introduced":"5.0.0"},{"fixed":"5.3.1"}]}}],"versions":["pac4j-1.4.0","pac4j-1.4.1","pac4j-1.5.0","pac4j-1.5.1","pac4j-1.6.0","pac4j-1.6.0-RC1","pac4j-1.7.0","pac4j-1.8.0","pac4j-1.8.0-RC1","pac4j-1.8.1","pac4j-1.8.2","pac4j-1.8.3","pac4j-1.9.0","pac4j-1.9.1","pac4j-1.9.2","pac4j-1.9.3","pac4j-2.0.0","pac4j-2.0.0-RC1","pac4j-2.0.0-RC2","pac4j-2.1.0","pac4j-3.0.0","pac4j-3.0.0-RC1","pac4j-3.0.0-RC2","pac4j-3.0.1","pac4j-3.1.0","pac4j-3.2.0","pac4j-3.3.0","pac4j-3.4.0","pac4j-4.0.0","pac4j-4.0.0-RC1","pac4j-4.0.0-RC2","pac4j-4.0.0-RC3","pac4j-4.0.1","pac4j-4.0.2","pac4j-4.0.3","pac4j-4.1.0","pac4j-4.2.0","pac4j-4.3.1","pac4j-4.4.0","pac4j-4.5.0","pac4j-4.5.1","pac4j-4.5.2","pac4j-4.5.3","pac4j-4.5.4","pac4j-5.0.0","pac4j-5.0.1","pac4j-5.1.0","pac4j-5.1.1","pac4j-5.1.2","pac4j-5.1.3","pac4j-5.1.4","pac4j-5.1.5","pac4j-parent-5.2.0","pac4j-parent-5.2.1","pac4j-parent-5.3.0","scribe-up-1.0.0","scribe-up-1.1.0","scribe-up-1.3.0","scribe-up-1.3.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44878.json","vanir_signatures":[{"source":"https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae","target":{"file":"pac4j-oidc/src/main/java/org/pac4j/oidc/credentials/authenticator/UserInfoOidcAuthenticator.java"},"signature_type":"Line","digest":{"line_hashes":["142734875259220979380034538026834823159","93516544702623769002709036197105832465","78151112510877933723915571325399453673","186976575094375344517935912759978704618","328621840333553987638841802560172542274","31195574165791698271710333171444427955","33359846202687368761658077525127785892","181154821364886295254219673091852051766","177591155745275731061717691244081747862","206582387734264907023769571307585263297","165932322687329723717707126492868335996","68632315901324971227108669574155793477","195659575427657192723094720092080624905","236052930497564336736705324012256346019"],"threshold":0.9},"id":"CVE-2021-44878-1fcca557","signature_version":"v1","deprecated":false},{"source":"https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae","target":{"file":"pac4j-oidc/src/main/java/org/pac4j/oidc/config/OidcConfiguration.java"},"signature_type":"Line","digest":{"line_hashes":["43943432238979706888797464452912863518","182716811072104724516345116051238537590","308248797421994447634602175309512946969","307245983942101714527022942220442871021","34005432408164938541023632046895676987","289845892867212993275457587660900103477","278772829820637479633183678612398312233","213127895201863992657303274028504330555","122981064431604722275789699601182556171"],"threshold":0.9},"id":"CVE-2021-44878-7bfe6e3b","signature_version":"v1","deprecated":false},{"source":"https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae","target":{"file":"pac4j-oidc/src/main/java/org/pac4j/oidc/profile/creator/TokenValidator.java"},"signature_type":"Line","digest":{"line_hashes":["244296901486418034151498386119171688002","283952748683071184838642401581082240219","76363101135699634511413522579674031927","226915231271433674858616834027959816478","97518857489170432927350744390244171505","233765041351676768397588464809275487601","209445786348199690161093809124748258532","84849930009010021822456829511175838597","187947379788689051867086956802052762134","202741386810270184480202936470288811247"],"threshold":0.9},"id":"CVE-2021-44878-ca015dcb","signature_version":"v1","deprecated":false},{"source":"https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae","target":{"file":"pac4j-oidc/src/main/java/org/pac4j/oidc/credentials/authenticator/UserInfoOidcAuthenticator.java","function":"fetchOidcProfile"},"signature_type":"Function","digest":{"function_hash":"309649846393890486951584006561382897584","length":881},"id":"CVE-2021-44878-d1c2c860","signature_version":"v1","deprecated":false},{"source":"https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae","target":{"file":"pac4j-oidc/src/main/java/org/pac4j/oidc/config/OidcConfiguration.java","function":"toString"},"signature_type":"Function","digest":{"function_hash":"168662865657726720582909440363251566777","length":745},"id":"CVE-2021-44878-d8095ef3","signature_version":"v1","deprecated":false},{"source":"https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae","target":{"file":"pac4j-oidc/src/main/java/org/pac4j/oidc/profile/creator/TokenValidator.java","function":"TokenValidator"},"signature_type":"Function","digest":{"function_hash":"312411212405526232696226767707092061916","length":1313},"id":"CVE-2021-44878-f741ac07","signature_version":"v1","deprecated":false}],"vanir_signatures_modified":"2026-04-11T16:26:26Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}