SCA: security update for Duende.IdentityServer (GHSA-ff4q-64jc-gx98)

medium Tenable Cloud Security Plugin ID 414461

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. It is possible for an
attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local
and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party,
untrusted site. Note: by itself, this vulnerability does **not** allow an attacker to obtain user
credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could
however exploit this vulnerability as part of a phishing attack designed to steal user credentials. This
vulnerability is fixed in 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5. Duende.IdentityServer 5.1 and earlier
and all versions of IdentityServer4 are no longer supported and will not be receiving updates. If
upgrading is not possible, use `IUrlHelper.IsLocalUrl` from ASP.NET Core to validate return Urls in user
interface code in the IdentityServer host. (CVE-2024-39694)

See Also

https://github.com/advisories/GHSA-ff4q-64jc-gx98

Plugin Details

Severity: Medium

ID: 414461

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2024-39694

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 1.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/31/2024

Vulnerability Publication Date: 7/31/2024

Reference Information

CVE: CVE-2024-39694

cwe: CWE-601