Description
A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).
Remediation
References
https://auth0.com/docs/security/bulletins/cve-2017-16897
Related Vulnerabilities
CVE-2016-0732 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server
CVE-2023-43643 Vulnerability in maven package org.owasp.antisamy:antisamy
CVE-2020-2283 Vulnerability in maven package org.jenkins-ci.plugins:liquibase-runner
CVE-2023-50719 Vulnerability in maven package org.xwiki.platform:xwiki-platform-mail-general
CVE-2018-5158 Vulnerability in maven package org.webjars.bower:pdfjs-dist