CVE-2020-5407

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.
Configurations

Configuration 1

cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*

Information

Published : 2020-05-13 05:15

Updated : 2021-06-14 06:15


NVD link : CVE-2020-5407

Mitre link : CVE-2020-5407

Products Affected
No products.
CWE
CWE-347

Improper Verification of Cryptographic Signature