VDB
EN
MEDIUM

GHSA-29fc-p6c4-24cg

Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

상세

### Description

`OidcTokenHandler` is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the `web-token/jwt-checker` library's `ClaimCheckerManager`.

`OidcTokenHandler::verifyClaims()` registers audience (`aud`), issuer (`iss`), and expiry (`exp`) checkers, but never passes the `$mandatoryClaims` argument to `ClaimCheckerManager::check()`. That method only validates claims that are *present* in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply **omits** `aud`, `iss`, and `exp` therefore passes verification.

### Resolution

The `OidcTokenHandler` now calls the `ClaimCheckerManager` with the list of mandatory claims so that tokens missing `aud`, `iss`, or `exp` are rejected.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d) for branch 6.4.

### Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / symfony/security-http
최초 영향 버전: 6.3.0 수정 버전: 6.4.40
수정 composer require symfony/security-http:^6.4.40
Packagist / symfony/security-http
최초 영향 버전: 7.4.0 수정 버전: 7.4.12
수정 composer require symfony/security-http:^7.4.12
Packagist / symfony/security-http
최초 영향 버전: 8.0.0 수정 버전: 8.0.12
수정 composer require symfony/security-http:^8.0.12
Packagist / symfony/symfony
최초 영향 버전: 6.3.0 수정 버전: 6.4.40
수정 composer require symfony/symfony:^6.4.40
Packagist / symfony/symfony
최초 영향 버전: 7.4.0 수정 버전: 7.4.12
수정 composer require symfony/symfony:^7.4.12
Packagist / symfony/symfony
최초 영향 버전: 8.0.0 수정 버전: 8.0.12
수정 composer require symfony/symfony:^8.0.12

참고