GHSA-g6j2-ch25-5mmv

Suggest an improvement
Source
https://github.com/advisories/GHSA-g6j2-ch25-5mmv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-g6j2-ch25-5mmv/GHSA-g6j2-ch25-5mmv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-g6j2-ch25-5mmv
Aliases
Published
2020-03-25T16:52:49Z
Modified
2023-11-01T04:53:22.654206Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Missing Token Replay Detection in Saml2 Authentication services for ASP.NET
Details

Impact

Token Replay Detection is an important defence in depth measure for Single Sign On solutions. In all previous 2.X versions, the Token Replay Detection is not properly implemented.

Note that version 1.0.1 is not affected. It has a correct Token Replay Implementation and is safe to use.

Patches

The 2.5.0 version is patched.

Workarounds

There are no workarounds with existing versions. Fixing the issue requires code updates.

References

https://en.wikipedia.org/wiki/Replay_attack

For more information

If you have any questions or comments about this advisory: * Comment on #711. * Email us at security@sustainsys.com if you think that there are further security issues.

Database specific
{
    "nvd_published_at": "2020-03-25T02:15:00Z",
    "github_reviewed_at": "2020-03-25T01:16:34Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-294"
    ]
}
References

Affected packages

NuGet / Sustainsys.Saml2

Package

Name
Sustainsys.Saml2
View open source insights on deps.dev
Purl
pkg:nuget/Sustainsys.Saml2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.5.0

Affected versions

2.*

2.0.0
2.1.0
2.2.0
2.3.0
2.4.0