Authentication Bypass

Affecting saml2-js package, versions <2.0.5

Do your applications use this vulnerable package? Test your applications

Overview

saml2-js is a node module that abstracts away the complexities of the SAML protocol behind an easy to use interface.

Affected versions of this package are vulnerable to Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely.

Remediation

Upgrade saml2-js to version 2.0.5 or higher.

References

CVSS Score

6.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Credit
Jon Langlois
CWE
CWE-287
Snyk ID
SNYK-JS-SAML2JS-474637
Disclosed
21 Oct, 2019
Published
01 Nov, 2019