GHSA-mfcp-34xw-p57x

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

CVSS3: 6.8

Описание

Authentication Bypass in saml2-js

Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely.

Recommendation

Upgrade to version 2.0.5 or later.

Ссылки

https://github.com/Clever/saml2/pull/190
https://github.com/Clever/saml2/commit/ae0da4d0a0ea682a737be481e3bd78798be405c0
https://snyk.io/vuln/SNYK-JS-SAML2JS-474637
https://www.npmjs.com/advisories/1222

Пакеты

Наименование

saml2-js

npm

Затронутые версииВерсия исправления

< 2.0.5

2.0.5

6.8 Medium

CVSS3

Дефекты

CWE-287

6.8 Medium

CVSS3

Дефекты

CWE-287