CVE-2020-12676

Опубликовано: 02 окт. 2020

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack".

Ссылки

http://packetstormsecurity.com/files/159454/FusionAuth-SAMLv2-0.2.3-Message-Forging.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Oct/1
Exploit
Mailing List
Third Party Advisory
https://compass-security.com/fileadmin/Research/Advisories/2020-06_CSNC-2020-002_FusionAuth_Signature_Exclusion_Attack.txt
Exploit
Mailing List
Vendor Advisory
https://github.com/SAMLRaider/SAMLRaider
Third Party Advisory
https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/159454/FusionAuth-SAMLv2-0.2.3-Message-Forging.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Oct/1
Exploit
Mailing List
Third Party Advisory
https://compass-security.com/fileadmin/Research/Advisories/2020-06_CSNC-2020-002_FusionAuth_Signature_Exclusion_Attack.txt
Exploit
Mailing List
Vendor Advisory
https://github.com/SAMLRaider/SAMLRaider
Third Party Advisory
https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:fusionauth:samlv2:0.2.3:*:*:*:*:*:*:*

EPSS

Процентиль: 36%

0.00148

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-347

Связанные уязвимости

GHSA-qh45-328h-49g4

github

больше 3 лет назад