Update dependency Duende.IdentityServer to 6.1.8 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Duende.IdentityServer	6.1.1 -> 6.1.8

GitHub Vulnerability Alerts

CVE-2024-39694

Impact

It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site.

Note: by itself, this vulnerability does not allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials.

Affected Methods

• In the DefaultIdentityServerInteractionService, the GetAuthorizationContextAsync method may return non-null and the IsValidReturnUrl method may return true for malicious Urls, indicating incorrectly that they can be safely redirected to.

  UI code calling these two methods is the most commonly used code path that will expose the vulnerability. The default UI templates rely on this behavior in the Login, Challenge, Consent, and Account Creation pages. Customized user interface code might also rely on this behavior. The following uncommonly used APIs are also vulnerable:

• The ServerUrlExtensions.GetIdentityServerRelativeUrl, ReturnUrlParser.ParseAsync and OidcReturnUrlParser.ParseAsync methods may incorrectly return non-null, and the ReturnUrlParser.IsValidReturnUrl and OidcReturnUrlParser.IsValidReturnUrl methods may incorrectly return true for malicious Urls.

Patches

This vulnerability is fixed in the following versions of Duende.IdentityServer:

• 7.0.6
• 6.3.10
• 6.2.5
• 6.1.8
• 6.0.5

Duende.IdentityServer 5.1 and earlier and all versions of IdentityServer4 are no longer supported and will not be receiving updates.

Workarounds

If upgrading is not possible, use IUrlHelper.IsLocalUrl from ASP.NET Core 5.0 or later to validate return Urls in user interface code in the IdentityServer host.

---

Release Notes

DuendeSoftware/IdentityServer (Duende.IdentityServer)

v6.1.8

Compare Source

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

v6.1.7

Compare Source

What's Changed

• remove unnecessary call to AsNoTracking by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/1043

Full Changelog: DuendeSoftware/IdentityServer@6.1.6...6.1.7

v6.1.6

Compare Source

What's Changed

• Add support for "extras" in license key by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/1030
• Fix refresh token data fixup upgrade when using DefaultPersistedGrantService by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/1028

Full Changelog: DuendeSoftware/IdentityServer@6.1.5...6.1.6

v6.1.5

Compare Source

What's Changed

• when renewing server-side session, create new entry if current session not found by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/1008

Full Changelog: DuendeSoftware/IdentityServer@6.1.4...6.1.5

v6.1.4

Compare Source

What's Changed

• fix URI validation to allow query params with encoded values by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/1007

Full Changelog: DuendeSoftware/IdentityServer@6.1.3...6.1.4

v6.1.3

Compare Source

What's Changed

• support invalid_request when client_id is missing in client secret validator by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/980

Full Changelog: DuendeSoftware/IdentityServer@6.1.2...6.1.3

v6.1.2

Compare Source

What's Changed

• handle bad form data on token (and other) endpoints by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/958
• ensure we capture milliseconds of the current DateTime when creating events by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/950
• fix incorrect filtering logic in QuerySessionsAsync by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/946
• make OperationalStoreOptions public on PersistedGrantDbContext by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/945
• capture session id value on token request when refresh token is being used by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/944
• add back missing virtuals to PersistedGrantStore by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/964
• Make AuthorizationRequest ctor as public to override implementation IReturnUrlParser by @​yartat in https://github.com/DuendeSoftware/IdentityServer/pull/791
• Ignore empty query/form input values by @​brockallen in https://github.com/DuendeSoftware/IdentityServer/pull/947

New Contributors

• @​yartat made their first contribution in https://github.com/DuendeSoftware/IdentityServer/pull/791

Full Changelog: DuendeSoftware/IdentityServer@6.1.1...6.1.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.