Lucene search

K
osvGoogleOSV:GHSA-M974-647V-WHV7
HistoryOct 12, 2022 - 10:05 p.m.

Signature bypass via multiple root elements

2022-10-1222:05:41
Google
osv.dev
15

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.009 Low

EPSS

Percentile

83.1%

Impact

A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.

Patches

Users should upgrade to passport-saml 3.2.2 or newer. The issue was also present in the beta releases of node-saml before v4.0.0-beta.5.

Workarounds

Disable SAML authentication.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Credits

  • Felix Wilhelm of Google Project Zero

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.009 Low

EPSS

Percentile

83.1%