Description

Clever saml2-js 2.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Remediation

References

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

https://www.kb.cert.org/vuls/id/475445

Related Vulnerabilities

CVE-2021-24122 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2020-14967 Vulnerability in npm package jsrsasign

CVE-2018-14041 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap

CVE-2021-21685 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-24807 Vulnerability in maven package org.webjars.npm:undici

Severity

Critical

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Technical Description Third Party Advisory US Government Resource