9.8

CVE-2022-41912

EPSS 0.29%
Veröffentlicht 28.11.2022 15:15:10
Zuletzt bearbeitet 21.11.2024 07:24:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Saml Project ≫ Saml SwPlatformgo Version < 0.4.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.516

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html

Third Party Advisory

VDB Entry

https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b

Patch

Third Party Advisory

https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-41912

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-41912

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-41912

EUVD