CVE-2021-44878
HIGHpac4j < 4.5.5 - Improper Verification of Cryptographic Signature via OpenID Connect 'none' Algorithm
Title source: llmDescription
If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae
Product, Third Party Advisory x_refsource_misc
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
Mitigation, Vendor Advisory x_refsource_misc
https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html
Scores
CVSS v3
7.5
EPSS
0.0089
EPSS Percentile
54.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-347
Status
published
Products (2)
org.pac4j/pac4j-oidc
0 - 4.5.5Maven
pac4j/pac4j
< 4.5.5
Published
Jan 06, 2022
Tracked Since
Feb 18, 2026