8.1
CVE-2022-39300
- EPSS 0.6%
- Veröffentlicht 13.10.2022 22:15:10
- Zuletzt bearbeitet 21.11.2024 07:17:59
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginSignature bypass via multiple root elements in node-SAML
node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to node-saml version 4.0.0-beta5 or newer. Disabling SAML authentication may be done as a workaround.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Node Saml Project ≫ Node Saml SwPlatformnode.js Version < 4.0.0
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta0 SwPlatformnode.js
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta1 SwPlatformnode.js
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta2 SwPlatformnode.js
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta3 SwPlatformnode.js
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta4 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.6% | 0.439 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 7.7 | 2.2 | 5.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
https://github.com/node-saml/node-saml/commit/c1f275c289c01921e58f5c70ce0fdbc5287e5fbe
https://github.com/node-saml/node-saml/security/advisories/GHSA-5p8w-2mvw-38pv