CVE-2020-5268 Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET

In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is...

CVE-2020-5268

In Saml2 Authentication Services for ASP.NET, versions before 1.0.2 and between 2.0.0 and 2.6.0 contain a vulnerability in token validation. Sustainsys.Saml2 incorrectly treats all incoming tokens as bearer tokens, despite tokens being subject-confirmed by other means (e.g., holder-of-key). An at...