[deps] Auth: Update Duende.IdentityServer to v7.0.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Duende.IdentityServer	7.0.5 -> 7.0.6

GitHub Vulnerability Alerts

CVE-2024-39694

Impact

It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site.

Note: by itself, this vulnerability does not allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials.

Affected Methods

• In the DefaultIdentityServerInteractionService, the GetAuthorizationContextAsync method may return non-null and the IsValidReturnUrl method may return true for malicious Urls, indicating incorrectly that they can be safely redirected to.

  UI code calling these two methods is the most commonly used code path that will expose the vulnerability. The default UI templates rely on this behavior in the Login, Challenge, Consent, and Account Creation pages. Customized user interface code might also rely on this behavior. The following uncommonly used APIs are also vulnerable:

• The ServerUrlExtensions.GetIdentityServerRelativeUrl, ReturnUrlParser.ParseAsync and OidcReturnUrlParser.ParseAsync methods may incorrectly return non-null, and the ReturnUrlParser.IsValidReturnUrl and OidcReturnUrlParser.IsValidReturnUrl methods may incorrectly return true for malicious Urls.

Patches

This vulnerability is fixed in the following versions of Duende.IdentityServer:

• 7.0.6
• 6.3.10
• 6.2.5
• 6.1.8
• 6.0.5

Duende.IdentityServer 5.1 and earlier and all versions of IdentityServer4 are no longer supported and will not be receiving updates.

Workarounds

If upgrading is not possible, use IUrlHelper.IsLocalUrl from ASP.NET Core 5.0 or later to validate return Urls in user interface code in the IdentityServer host.

---

Release Notes

DuendeSoftware/IdentityServer (Duende.IdentityServer)

v7.0.6

Compare Source

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 41.43%. Comparing base (398741c) to head (00e346d).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4573      +/-   ##
==========================================
- Coverage   41.43%   41.43%   -0.01%     
==========================================
  Files        1280     1280              
  Lines       60425    60425              
  Branches     5547     5547              
==========================================
- Hits        25037    25036       -1     
- Misses      34215    34216       +1     
  Partials     1173     1173              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bitwarden-bot]

Internal tracking:

• ID: PM-10422
• Link: https://bitwarden.atlassian.net/browse/PM-10422