GHSA-m974-647v-whv7

Source

https://github.com/advisories/GHSA-m974-647v-whv7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-m974-647v-whv7/GHSA-m974-647v-whv7.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-m974-647v-whv7

Aliases

CVE-2022-39299

Related

CVE-2022-39299

Published

2022-10-12T22:05:41Z

Modified

2023-11-01T04:59:49.043062Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Signature bypass via multiple root elements

Details

Impact

A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.

Patches

Users should upgrade to passport-saml 3.2.2 or newer. The issue was also present in the beta releases of node-saml before v4.0.0-beta.5.

Workarounds

Disable SAML authentication.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory: * Open a discussion in the node-saml repo

Credits

Felix Wilhelm of Google Project Zero

Database specific

{
    "nvd_published_at": "2022-10-12T21:15:00Z",
    "github_reviewed_at": "2022-10-12T22:05:41Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-347"
    ]
}

References

Affected packages

npm / passport-saml

Package

Name: passport-saml; View open source insights on deps.dev
Purl: pkg:npm/passport-saml

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.2

npm / node-saml

Package

Name: node-saml; View open source insights on deps.dev
Purl: pkg:npm/node-saml

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.0-beta.5

npm / @node-saml/node-saml

Package

Name: @node-saml/node-saml; View open source insights on deps.dev
Purl: pkg:npm/%40node-saml/node-saml

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.0-beta.5

npm / @node-saml/passport-saml

Package

Name: @node-saml/passport-saml; View open source insights on deps.dev
Purl: pkg:npm/%40node-saml/passport-saml

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.0-beta.3