Lucene search

K
nvd[email protected]NVD:CVE-2022-41912
HistoryNov 28, 2022 - 3:15 p.m.

CVE-2022-41912

2022-11-2815:15:10
CWE-287
web.nvd.nist.gov
8
vulnerability
crewjam/saml
authentication bypass
saml
assertion elements
upgrade

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

78.0%

The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.

Affected configurations

Nvd
Node
saml_projectsamlRange<0.4.9go
VendorProductVersionCPE
saml_projectsaml*cpe:2.3:a:saml_project:saml:*:*:*:*:*:go:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

78.0%