CVE-2024-39694: 
C# vulnerability analysis and mitigation

Duende IdentityServer, an OpenID Connect and OAuth 2.x framework for ASP.NET Core, contains a vulnerability where attackers can craft malicious URLs that certain functions will incorrectly treat as local and trusted. The vulnerability was disclosed on July 31, 2024, affecting versions 7.0.5 and earlier, 6.3.9 and earlier, 6.2.4 and earlier, 6.1.7 and earlier, and 6.0.4 and earlier (GitHub Advisory).

The vulnerability is classified as an Open Redirect (CWE-601) with a CVSS v3.1 score of 4.7 (Medium), with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The issue affects multiple methods in DefaultIdentityServerInteractionService, including GetAuthorizationContextAsync and IsValidReturnUrl, which may incorrectly validate malicious URLs as safe. Additional affected components include ServerUrlExtensions.GetIdentityServerRelativeUrl, ReturnUrlParser.ParseAsync, and OidcReturnUrlParser.ParseAsync methods (GitHub Advisory).

If exploited, this vulnerability could allow attackers to redirect users to third-party, untrusted sites when maliciously crafted URLs are processed. While the vulnerability itself does not directly expose user credentials, authorization codes, access tokens, refresh tokens, or identity tokens, it could be leveraged as part of a broader phishing attack to steal user credentials (GitHub Advisory).

The vulnerability has been patched in versions 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5. For users unable to upgrade, a workaround is available by using IUrlHelper.IsLocalUrl from ASP.NET Core 5.0 or later to validate return URLs in user interface code in the IdentityServer host. Note that Duende.IdentityServer 5.1 and earlier, and all versions of IdentityServer4 are no longer supported and will not receive updates (GitHub Advisory).