Description

Clever saml2-js 2.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Remediation

References

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

https://www.kb.cert.org/vuls/id/475445

Related Vulnerabilities

CVE-2022-25852 Vulnerability in npm package pg-native

CVE-2022-25645 Vulnerability in npm package dset

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-logparser

CVE-2021-29445 Vulnerability in npm package jose-node-esm-runtime

CVE-2024-36401 Vulnerability in maven package org.geoserver.web:gs-web-app

Severity

Critical

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Technical Description Third Party Advisory US Government Resource