CVE-2021-44878 – CVE-2021-44878 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-44878?

CVE-2021-44878 has a CVSS score of 7.5 (HIGH). CVE-2021-44878 is an authentication bypass vulnerability in pac4j OpenID Connect implementation. It allows attackers to forge unsigned ID tokens using the 'none' algorithm, bypassing signature validation. This affects pac4j v5.3.0 and earlier when using OpenID Connect with providers that support the 'none' algorithm.

📋 TL;DR

CVE-2021-44878 is an authentication bypass vulnerability in pac4j OpenID Connect implementation. It allows attackers to forge unsigned ID tokens using the 'none' algorithm, bypassing signature validation. This affects pac4j v5.3.0 and earlier when using OpenID Connect with providers that support the 'none' algorithm.

💻 Affected Systems

Products:

pac4j

Versions: v5.3.0 and prior versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using OpenID Connect with providers that support 'none' algorithm. The 'idtoken' response type is particularly vulnerable.

📦 What is this software?

Pac4j by Pac4j

View all CVEs affecting Pac4j →

Pac4j by Pac4j

View all CVEs affecting Pac4j →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to protected resources and user impersonation.

🟠

Likely Case

Authentication bypass leading to unauthorized access to applications using pac4j for OpenID Connect authentication.

🟢

If Mitigated

No impact if proper signature validation is enforced and 'none' algorithm is explicitly rejected.

🌐 Internet-Facing: HIGH - Web applications using pac4j for authentication are directly exposed to this attack.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires ability to intercept or modify authentication flow. Proof-of-concept code is available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.3.1 and later

Vendor Advisory: https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html

Restart Required: Yes

Instructions:

1. Update pac4j to version 5.3.1 or later. 2. Update dependencies in your project configuration. 3. Restart the application. 4. Verify the fix by testing authentication flows.

🔧 Temporary Workarounds

Explicitly reject 'none' algorithm

all

Configure pac4j to explicitly reject the 'none' algorithm in OpenID Connect configuration

Configure 'none' algorithm as not allowed in OpenID client configuration

Use only trusted OpenID providers

all

Configure pac4j to only accept tokens from providers that don't support 'none' algorithm

Restrict allowed OpenID providers in configuration

🧯 If You Can't Patch

Implement additional token validation layer that rejects 'none' algorithm tokens
Monitor authentication logs for suspicious 'none' algorithm usage and implement WAF rules to block such tokens

🔍 How to Verify

Check if Vulnerable:

Check if using pac4j version 5.3.0 or earlier with OpenID Connect. Test by attempting to authenticate with a token using 'alg': 'none' in header.

Check Version:

Check project dependencies or Maven/Gradle configuration for pac4j version

Verify Fix Applied:

After updating to 5.3.1+, test authentication with 'none' algorithm token - it should be rejected. Verify configuration explicitly rejects 'none' algorithm.

📡 Detection & Monitoring

Log Indicators:

Authentication attempts with 'alg': 'none' in token headers
Failed token validation logs
Unexpected successful authentications

Network Indicators:

Authentication requests with malformed tokens
Traffic patterns showing authentication bypass

SIEM Query:

search 'alg":"none' OR 'authentication bypass' OR 'token validation failed' in application logs

📊 Metadata

CVE ID: CVE-2021-44878

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-347

Published: January 6, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae Patch,Third Party Advisory
https://openid.net/specs/openid-connect-core-1_0.html#IDToken Product,Third Party Advisory
https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html Mitigation,Vendor Advisory
https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae Patch,Third Party Advisory
https://openid.net/specs/openid-connect-core-1_0.html#IDToken Product,Third Party Advisory
https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44878, you might also want to check these: