CVE Vulnerability

CVE-2022-41912

The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b Patch Third Party Advisory
https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g Third Party Advisory
http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html Third Party Advisory VDB Entry
Configurations

Configuration 1

cpe:2.3:a:saml_project:saml:*:*:*:*:*:go:*:*
Information

Published : 2022-11-28 03:15

Updated : 2023-02-01 03:48

NVD link : CVE-2022-41912

Mitre link : CVE-2022-41912

Products Affected
No products.
CWE
CWE-287