Hi

Vào Th 4, 2 thg 7, 2025 lúc 10:08 Junxu Chen <chenju...@apache.org> đã viết:

> Severity: important
>
> Affected versions:
>
> - Apache APISIX before 3.12.0
>
> Description:
>
> A vulnerability of plugin openid-connect in Apache APISIX.
>
> This vulnerability will only have an impact if all of the following
> conditions are met:
> 1. Use the openid-connect plugin with introspection mode
> 2. The auth service connected to openid-connect provides services to
> multiple issuers
> 3. Multiple issuers share the same private key and relies only on the
> issuer being different
>
> If affected by this vulnerability, it would allow an attacker with a valid
> account on one of the issuers to log into the other issuer.
>
>
>
>
> This issue affects Apache APISIX: until 3.12.0.
>
> Users are recommended to upgrade to version 3.12.0 or higher.
>
> Credit:
>
> Tiernan Messmer (finder)
>
> References:
>
> https://lists.apache.org/thread/yrpp2cd3o4qkxlrh421mq8gsrt0k4x0w
> https://apisix.apache.org
> https://www.cve.org/CVERecord?id=CVE-2025-46647
>
>

Reply via email to