CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
github.com/RobotsAndPencils/go-saml is vulnerable to an Authentication Bypass. The vulnerability is due to improper configuration of the xmlsec1 tool in the go-saml library, which fails to restrict the origin of the public key used for signature verification. It allows an attacker to sign SAML assertions themselves and provide the required public key directly embedded in the SAML token.