GoogleOSV:GHSA-M974-647V-WHV7Signature bypass via multiple root elements
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
83.2%
Impact
A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.
Patches
Users should upgrade to passport-saml 3.2.2 or newer. The issue was also present in the beta releases of node-saml before v4.0.0-beta.5.
Workarounds
Disable SAML authentication.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
- Open a discussion in the node-saml repo
Credits
- Felix Wilhelm of Google Project Zero
| CPE | Name | Operator | Version |
|---|---|---|---|
| passport-saml | lt | 3.2.2 | |
| node-saml | lt | 4.0.0-beta.5 | |
| @node-saml/passport-saml | lt | 4.0.0-beta.3 | |
| @node-saml/node-saml | lt | 4.0.0-beta.5 |
References
packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html
github.com/node-saml/passport-saml
github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e
github.com/node-saml/passport-saml/releases/tag/v3.2.2
github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7
nvd.nist.gov/vuln/detail/CVE-2022-39299
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
83.2%