8.1
CVE-2022-39299
- EPSS 7.45%
- Published 12.10.2022 21:15:09
- Last modified 21.11.2024 07:17:59
- Source security-advisories@github.com
- Teams watchlist Login
- Open Login
Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.
Data is provided by the National Vulnerability Database (NVD)
Passport-saml Project ≫ Passport-saml SwPlatformnode.js Version < 3.2.2
Passport-saml Project ≫ Passport-saml Version4.0.0 Updatebeta1 SwPlatformnode.js
Passport-saml Project ≫ Passport-saml Version4.0.0 Updatebeta2 SwPlatformnode.js
Passport-saml Project ≫ Passport-saml Version4.0.0 Updatebeta3 SwPlatformnode.js
Passport-saml Project ≫ Passport-saml Version4.0.0 Updatebeta4 SwPlatformnode.js
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 7.45% | 0.914 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 7.4 | 2.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.