Lucene search

GitHub Advisory DatabaseGHSA-4M6J-23P2-8C54

HistoryFeb 26, 2024 - 8:04 p.m.

Armeria SAML authentication bypass due to missing validation on unsigned SAML messages

2024-02-2620:04:37

CWE-304

GitHub Advisory Database

github.com

armeria

saml

authentication

bypass

validation

patch

forge

vulnerability

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

JSON

Impact

The SAML implementation provided by armeria-saml currently accepts unsigned SAML messages (assertions, logout requests, etc.) as they are, rather than rejecting them by default. As a result, an attacker can forge a SAML message to authenticate themselves, despite the fact that such an unsigned SAML message should be rejected.

Patches

The vulnerability has been patched in Armeria version 1.27.2. All users who rely on armeria-saml older than version 1.27.2 must upgrade to 1.27.2 or later.

Workarounds

There is no known workaround for this vulnerability.

References

SamlMessageUtil.validateSignature()

Affected configurations

Vulners

Node

com.linecorp.armeriaarmeria-samlRange≤1.27.1

VendorProductVersionCPE
com.linecorp.armeriaarmeria-saml*cpe:2.3:a:com.linecorp.armeria:armeria-saml:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
com.linecorp.armeria	armeria-saml	*	cpe:2.3:a:com.linecorp.armeria:armeria-saml::::::::

References

github.com/advisories/GHSA-4m6j-23p2-8c54

github.com/line/armeria/blob/0efc776988d71be4da6e506ec8a33c2b7b43f567/saml/src/main/java/com/linecorp/armeria/server/saml/SamlMessageUtil.java#L160-L163

github.com/line/armeria/commit/b2aa9f49b46a7b0e03d8b8d753809cd1e8e2016c

github.com/line/armeria/releases/tag/armeria-1.27.2

github.com/line/armeria/security/advisories/GHSA-4m6j-23p2-8c54

nvd.nist.gov/vuln/detail/CVE-2024-1735