Lucene search
Veracode Vulnerability DatabaseVERACODE:37562HistoryOct 14, 2022 - 11:00 a.m.
Improper Verification Of Cryptographic Signature
2022-10-1411:00:44
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
16
0.009 Low
EPSS
Percentile
83.2%
Passport-saml is vulnerable to improper cryptographic signature verification. A remote attacker is able to bypass SAML authentication via an arbitrary IDP signed XML element, due to improper checks for a valid top-level signature in saml.ts .
| CPE | Name | Operator | Version |
|---|---|---|---|
| passport-saml | le | 3.2.1 | |
| passport-saml | le | 3.2.1 |
References
packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html
github.com/advisories/GHSA-m974-647v-whv7
github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e
github.com/node-saml/passport-saml/issues/790
github.com/node-saml/passport-saml/releases/tag/v3.2.2
github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7
Related
cvelist
cvelist
CVE-2022-39299 Signature bypass via multiple root elements in Passport-SAML
2022-10-12 00:00:00
CVE-2022-39353 xmldom allows multiple root nodes in a DOM
2022-11-02 00:00:00
cve
cve
CVE-2022-39299
2022-10-12 21:15:09
CVE-2022-39353
2022-11-02 17:15:17
github
github
Signature bypass via multiple root elements
2022-10-12 22:05:41
xmldom allows multiple root nodes in a DOM
2022-11-01 17:29:11
nvd
nvd
CVE-2022-39299
2022-10-12 21:15:09
CVE-2022-39353
2022-11-02 17:15:17
osv
osv
CVE-2022-39299
2022-10-12 21:15:09
Signature bypass via multiple root elements
2022-10-12 22:05:41
CVE-2022-39353
2022-11-02 17:15:17
githubexploit
githubexploit
prion
prion
Authentication flaw
2022-10-12 21:15:00
Design/Logic Flaw
2022-11-02 17:15:00
debiancve
debiancve
CVE-2022-39353
2022-11-02 17:15:17
redhatcve
redhatcve
CVE-2022-39353
2022-11-14 03:56:39
ubuntucve
ubuntucve
CVE-2022-39353
2022-11-02 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-3260-1)
2023-01-02 00:00:00
debian
debian
[SECURITY] [DLA 3260-1] node-xmldom security update
2023-01-01 17:00:48
nessus
nessus
Debian DLA-3260-1 : node-xmldom - LTS security update
2023-01-07 00:00:00
Ubuntu 20.04 LTS / 22.04 LTS : xmldom vulnerabilities (USN-6102-1)
2023-05-24 00:00:00