Can you explain this vulnerability to me?

This vulnerability exists in Oxia, a metadata store and coordination system, specifically in versions prior to 0.16.2. The issue is that the OIDC authentication provider sets SkipClientIDCheck to true in the go-oidc verifier configuration. This disables the standard audience (aud) claim validation at the library level, which means that tokens issued for unrelated services by the same OIDC issuer can be accepted by Oxia.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

Because the audience claim validation is disabled, Oxia may accept authentication tokens that were not intended for it but were issued for other services by the same OIDC issuer. This can allow unauthorized access to Oxia, potentially leading to security breaches where attackers use tokens meant for other services to gain access.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Oxia to version 0.16.2 or later, where the issue with the OIDC authentication provider unconditionally setting SkipClientIDCheck to true is fixed.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows Oxia to accept tokens issued for unrelated services by the same OIDC issuer due to disabled audience claim validation. This could lead to unauthorized access to sensitive data or systems.

Such unauthorized access risks violating compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive data.

Therefore, until fixed (in version 0.16.2), this vulnerability may negatively impact compliance with these regulations by undermining authentication integrity and access control.

Useful 0 Not Useful 0