Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00bWg4LTl3cTYtcmp4Z84AA00j

OpenAM vulnerable to user impersonation using SAMLv1.x SSO process

Impact

OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet.

Patches

This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later

Workarounds

One should comment servlet SAMLPOSTProfileServlet in web.xml or disable SAML in OpenAM

<servlet>
    <description>SAMLPOSTProfileServlet</description>
    <servlet-name>SAMLPOSTProfileServlet</servlet-name>
    <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class>
</servlet>
...
<servlet-mapping>
    <servlet-name>SAMLSOAPReceiver</servlet-name>
    <url-pattern>/SAMLSOAPReceiver</url-pattern>
</servlet-mapping>

References

#624

Permalink: https://github.com/advisories/GHSA-4mh8-9wq6-rjxg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00bWg4LTl3cTYtcmp4Z84AA00j
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 10 months ago
Updated: 6 months ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-4mh8-9wq6-rjxg, CVE-2023-37471
References:

Repository: https://github.com/OpenIdentityPlatform/OpenAM
Blast Radius: 7.1

Affected Packages

maven:org.openidentityplatform.openam:openam-federation-library

Dependent packages: 12
Dependent repositories: 6
Downloads:
Affected Version Ranges: < 14.7.3
Fixed in: 14.7.3
All affected versions: 14.5.2, 14.5.3, 14.5.4, 14.6.1, 14.6.2, 14.6.3, 14.6.4, 14.6.5, 14.6.6, 14.7.0, 14.7.1, 14.7.2
All unaffected versions: 14.7.3, 14.7.4, 14.8.1, 14.8.2, 14.8.3, 14.8.4