Описание
SSOReady has an XML Signature Bypass via differential XML parsing
Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior between XML parsers.
Users of https://ssoready.com, the public hosted instance of SSOReady, are unaffected. We advise folks who self-host SSOReady to upgrade to 7f92a06 or later. Do so by updating your SSOReady Docker images from sha-... to sha-7f92a06. The documentation for self-hosting SSOReady is available here.
Vulnerability was discovered by @ahacker1-securesaml. It's likely the precise mechanism of attack affects other SAML implementations, so the reporter and I (@ucarion) have agreed to not disclose it in detail publicly at this time.
Ссылки
- https://github.com/ssoready/ssoready/security/advisories/GHSA-j2hr-q93x-gxvh
- https://nvd.nist.gov/vuln/detail/CVE-2024-47832
- https://github.com/ssoready/ssoready/commit/7f92a0630439972fcbefa8c7eafe8c144bd89915
- https://pkg.go.dev/vuln/GO-2024-3185
- https://ssoready.com/docs/self-hosting/self-hosting-sso-ready
Пакеты
github.com/ssoready/ssoready
< 0.0.0-20241009153838-7f92a0630439
0.0.0-20241009153838-7f92a0630439
EPSS
9.3 Critical
CVSS4
9.8 Critical
CVSS3
CVE ID
Дефекты
Связанные уязвимости
ssoready is a single sign on provider implemented via docker. Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior between XML parsers. Users of https://ssoready.com, the public hosted instance of SSOReady, are unaffected. We advise folks who self-host SSOReady to upgrade to 7f92a06 or later. Do so by updating your SSOReady Docker images from sha-... to sha-7f92a06. There are no known workarounds for this vulnerability.
EPSS
9.3 Critical
CVSS4
9.8 Critical
CVSS3