Lucene search
PRIOn knowledge basePRION:CVE-2022-23505HistoryDec 13, 2022 - 8:15 a.m.
Authentication flaw
2022-12-1308:15:00
PRIOn knowledge base
www.prio-n.com
8
passport-wsfed-saml2
authentication flaw
bypass
wsfed
saml2 tokens
remote attacker
patched
version 4.6.3
workaround
Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.
| CPE | Name | Operator | Version |
|---|---|---|---|
| passport-wsfed-saml2 | le | 4.6.2 |
Related
veracode
veracode
Authentication Bypass
2022-12-14 03:21:00
cve
cve
CVE-2022-23505
2022-12-13 08:15:09
osv
osv
Authentication Bypass for passport-wsfed-saml2
2022-12-13 17:16:36
cvelist
cvelist
nvd
nvd
CVE-2022-23505
2022-12-13 08:15:09
github
github
Authentication Bypass for passport-wsfed-saml2
2022-12-13 17:16:36