Skip to main content

EJBCA Security Advisory - Audience Claims not Required by Default - News / PrimeKey Announcements - PrimeKey Support

Oct 18 2021

EJBCA Security Advisory - Audience Claims not Required by Default

Authors list

Dear Customers and Partners,

PrimeKey has released an update to address a vulnerability in EJBCA found as a part of our internal testing. As a part of PrimeKey's new policy, we will be submitting this issue publicly as a CVE two weeks after alerting customers

Issue Summary

In the implementation of our OAuth authentication to the EJBCA UI, the audience (aud) claim was not required to be checked by default. The consequence of this is that a user could potentially use a valid claim issued for a different audience to access EJBCA, though note that their primary claim would still have to be configured in a Role. 

Note that not all OAuth providers provide aud claims, but notably Azure OAuth does. 

Who is potentially affected

Anybody using OAuth to access EJBCA, from a provider that assumes that an audience claim will be checked. 


PrimeKey rates the issue as having medium impact and low probability.

Risk Assessment

Impact is medium as an attacker would potentially gain access to an unintended Role. Probability is low as such an attacker would need to first get access to a valid OAuth token, then that a Role be configured to the claim in that token but for a different intended audience.


Anybody using OAuth to access EJBCA.


This issue has been fixed in EJBCA 7.8.0 and later. When upgrading to EJBCA 7.8.0, the prior to performing post-upgrade you will be prompted to fill in the aud claim for any defined OAuth providers.

EJBCA 7.8.0 is included in Appliance version 3.9.1 and EJBCA Cloud 2.9.0

If you have any questions, please contact support.

Contact us:

Global support number: +1 251 317 6984