CVE-2024-21643: 
C# vulnerability analysis and mitigation

CVE-2024-21643 affects IdentityModel Extensions for .NET, a framework used by web developers for federated identity providers. The vulnerability exists in the SignedHttpRequest protocol where Microsoft.IdentityModel trusts the jku claim by default, potentially allowing remote or local HTTP GET requests. The issue was discovered and disclosed in January 2024, affecting all versions prior to 7.1.2 (for 7x) and 6.34.0 (for 6x) (GitHub Advisory).

The vulnerability stems from Microsoft.IdentityModel's default trust of the jku claim in the SignedHttpRequest protocol. This affects anyone using the SignedHttpRequest protocol or the SignedHttpRequestValidator. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers to make any remote or local HTTP GET request through the SignedHttpRequest protocol, potentially leading to remote code execution. This could compromise the security of applications using the affected components for federated identity management (GitHub Advisory).

Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher. For teams requiring the use of the jku claim, the only potentially safe approach is to limit trusted domains using the new properties: AllowResolvingPopKeyFromJku (defaults to false) and AllowedDomainsForJkuRetrieval. Without upgrading, organizations can disable or filter outbound HTTP requests at the firewall (Microsoft Wiki).