Lucene search

K
nvd[email protected]NVD:CVE-2023-40178
HistoryAug 23, 2023 - 9:15 p.m.

CVE-2023-40178

2023-08-2321:15:08
CWE-613
CWE-347
web.nvd.nist.gov
3
cve-2023-40178
node-saml
saml library
logoutrequest
timestamp checking
xml
expired
user impact
service providers
patch

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

39.7%

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale. This issue was patched in version 4.0.5.

Affected configurations

Nvd
Node
node_saml_projectnode_samlRange<4.0.5node.js
VendorProductVersionCPE
node_saml_projectnode_saml*cpe:2.3:a:node_saml_project:node_saml:*:*:*:*:*:node.js:*:*

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

39.7%