CVE-2024-49755: 
C# vulnerability analysis and mitigation

Duende IdentityServer, an OpenID Connect and OAuth 2.x framework for ASP.NET Core, contains a vulnerability in its local API authentication handler that performs insufficient validation of the cnf claim in DPoP access tokens. The vulnerability was discovered and disclosed on October 28, 2024, affecting versions 7.0.0 and above. This security issue allows attackers to use leaked DPoP access tokens at local API endpoints without possessing the private key for signing proof tokens (GitHub Advisory).

The vulnerability specifically affects the LocalApiAuthenticationHandler component when configured with DPoP authentication. The issue stems from insufficient validation of the confirmation (cnf) claim in DPoP access tokens. The vulnerability is tracked as CVE-2024-49755 with a CVSS v3.1 base score of 3.1 (LOW), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N. This indicates that while the vulnerability is network-accessible, it requires high attack complexity and user interaction (GitHub Advisory).

The vulnerability only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. It does not affect OAuth or OIDC protocol endpoints, typical UI pages within an IdentityServer implementation, the use of DPoP to create sender-constrained tokens consumed by external API resources, or the use of DPoP to sender-constrain refresh tokens issued to public clients (GitHub Advisory).

The vulnerability has been patched in IdentityServer version 7.0.8. Version 6.3 and below are unaffected as they do not support DPoP in Local APIs. Organizations using affected versions should upgrade to version 7.0.8 or later to address this security issue (GitHub Advisory).