Описание
node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to node-saml version 4.0.0-beta5 or newer. Disabling SAML authentication may be done as a workaround.
Ссылки
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.0.0 (исключая)
Одно из
cpe:2.3:a:node_saml_project:node_saml:*:*:*:*:*:node.js:*:*
cpe:2.3:a:node_saml_project:node_saml:4.0.0:beta0:*:*:*:node.js:*:*
cpe:2.3:a:node_saml_project:node_saml:4.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:node_saml_project:node_saml:4.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:node_saml_project:node_saml:4.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:node_saml_project:node_saml:4.0.0:beta4:*:*:*:node.js:*:*
EPSS
Процентиль: 37%
0.00153
Низкий
7.7 High
CVSS3
8.1 High
CVSS3
Дефекты
CWE-347
CWE-347
Связанные уязвимости
EPSS
Процентиль: 37%
0.00153
Низкий
7.7 High
CVSS3
8.1 High
CVSS3
Дефекты
CWE-347
CWE-347