{"id":"CVE-2023-36820","summary":"micronaut security has invalid IdTokenClaimsValidator logic on aud","details":"Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1.\n","aliases":["GHSA-qw22-8w9r-864h"],"modified":"2026-04-10T05:01:29.452118Z","published":"2023-10-09T13:30:26.387Z","database_specific":{"cwe_ids":["CWE-284"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/36xxx/CVE-2023-36820.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/36xxx/CVE-2023-36820.json"},{"type":"ADVISORY","url":"https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36820"},{"type":"FIX","url":"https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"007d1bcabc8e6dfb2f5ae6f5f4f801302e22326e"},{"fixed":"ddc0d2d9e3d812ce728e79b8a8628ab90d7fd2e8"}],"database_specific":{"versions":[{"introduced":"3.11.0"},{"fixed":"3.11.1"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"4f67f8eea1cb7eaa5cffc8a1ff5c1fd76702734c"},{"fixed":"462d77f6b958185487519a90e37674a78f3ee034"}],"database_specific":{"versions":[{"introduced":"3.10.0"},{"fixed":"3.10.2"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"d6f78a62f013dc7c0b8340c84c57cb13bf7e2248"},{"fixed":"453f810163e7a623f43a1d6be8cacc586c856472"}],"database_specific":{"versions":[{"introduced":"3.9.0"},{"fixed":"3.9.6"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"bd036bd94b38d721e48bf30d0cb453d4799a75f9"},{"fixed":"856156af444a69f852f35a98bf2167aa44e2bd99"}],"database_specific":{"versions":[{"introduced":"3.8.0"},{"fixed":"3.8.4"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"44b4c260d26a25fc96f1aa7baf4bf0e0d6c44e89"},{"fixed":"b7df87a4eed8d2a935345e2847180442f50a8fa6"}],"database_specific":{"versions":[{"introduced":"3.7.0"},{"fixed":"3.7.4"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"2fb6b9be8521cbaac46c9065609af34fe489b6c9"},{"fixed":"e5e7fc5b3ed4ac69bccb8676c9b67d6c9fdfa48b"}],"database_specific":{"versions":[{"introduced":"3.6.0"},{"fixed":"3.6.6"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"2301f38015b598f788bf1d6f10fdec5edf3aa400"},{"fixed":"e7c6f7e4618647049768cf9a9e4628b29eef6a6d"}],"database_specific":{"versions":[{"introduced":"3.5.0"},{"fixed":"3.5.3"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"13a0ef86d18031e1b6cad426dff30759d2674da6"},{"fixed":"da412c00d16c9007edc1a8a10a77228e0d47363b"}],"database_specific":{"versions":[{"introduced":"3.4.0"},{"fixed":"3.4.3"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"cf77c7c5101dc19ff52cc13967e2aa56898bf60b"},{"fixed":"df331d45cfe9d477208988aeaafb9b8b67078606"}],"database_specific":{"versions":[{"introduced":"3.3.0"},{"fixed":"3.3.2"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"e67fe82d54f94d989a828226f3fd01150dc7f049"},{"fixed":"783fe437ac373c8dc8206f04eb8716ace4544dac"}],"database_specific":{"versions":[{"introduced":"3.2.0"},{"fixed":"3.2.4"}]}},{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-security","events":[{"introduced":"9d91f2162a221c135c4701d0114b183693034db3"},{"fixed":"a517b7fd508de272608630e12f127d251dfea007"}],"database_specific":{"versions":[{"introduced":"3.1.0"},{"fixed":"3.1.2"}]}}],"versions":["v3.1.0","v3.1.1","v3.10.0","v3.10.1","v3.11.0","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.3.0","v3.3.1","v3.4.0","v3.4.1","v3.5.0","v3.5.1","v3.5.2","v3.6.0","v3.6.1","v3.6.2","v3.6.3","v3.6.4","v3.6.5","v3.7.0","v3.7.1","v3.7.2","v3.7.3","v3.8.0","v3.8.1","v3.8.2","v3.8.3","v3.9.0","v3.9.1","v3.9.2","v3.9.3","v3.9.4","v3.9.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36820.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}