8.8
CVE-2020-5407
- EPSS 0.67%
- Veröffentlicht 13.05.2020 17:15:11
- Zuletzt bearbeitet 21.11.2024 05:34:06
- Quelle security@pivotal.io
- CVE-Watchlists
- Unerledigt
LoginSignature Wrapping Vulnerability with spring-security-saml2-service-provider
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pivotal Software ≫ Spring Security Version >= 5.2.0 < 5.2.4
Pivotal Software ≫ Spring Security Version >= 5.3.0 < 5.3.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.67% | 0.688 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.