GHSA-f2cx-463q-7m2c
OpenAM OAuth Client Impersonation via JWKS Resolver Cache
Details
## Summary
**Description**
An Improper Authentication (CWE-287) issue in OpenAM's OAuth2 private_key_jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks_uri, without knowing the victim's signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
## Impact
OpenAM Community Edition deployments through version 16.0.6 that have OAuth2 clients configured for private_key_jwt authentication with keys published via jwks_uri are potentially affected. An attacker holding any such client registration, their own, or one obtained through open dynamic client registration where enabled, can mint access tokens in any other such client's name, in any realm hosted by the OpenAM process.
## Patch This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 16.1.1 # pom.xml: bump <version>16.1.1</version> for org.openidentityplatform.openam:openam-oauth2