8.1
CVE-2022-39300
- EPSS 0.15%
- Veröffentlicht 13.10.2022 22:15:10
- Zuletzt bearbeitet 21.11.2024 07:17:59
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginnode SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to node-saml version 4.0.0-beta5 or newer. Disabling SAML authentication may be done as a workaround.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Node Saml Project ≫ Node Saml SwPlatformnode.js Version < 4.0.0
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta0 SwPlatformnode.js
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta1 SwPlatformnode.js
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta2 SwPlatformnode.js
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta3 SwPlatformnode.js
Node Saml Project ≫ Node Saml Version4.0.0 Updatebeta4 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.367 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 7.7 | 2.2 | 5.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.