Amazon Application Load Balancer OpenID Connect Middleware JWT Validation Vulnerability

A vulnerability exists in the Amazon Application Load Balancer (ALB) OpenID Connect middleware for ASP.NET Core. This issue arises because the middleware, while it correctly validates JWT signatures, fails to properly verify the JWT issuer and signer identity. This oversight can be exploited, particularly if the ALB is configured to accept internet traffic to its targets, allowing an untrusted entity to sign JWTs. As a result, an actor could impersonate valid OIDC-federated sessions to the ALB targets.

Impact

Exploitation of this vulnerability could allow an actor to impersonate valid OIDC-federated sessions to ALB targets, using a JWT signed by a different load balancer.

Remediation

The repository has been deprecated and is no longer supported. As a best practice, ensure that ALB targets do not have public IP addresses and validate that the signer attribute in the JWT matches the ARN of the ALB being used.