Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5OWgtOHdwai03NXhq
Authentication Bypass in tyk-identity-broker
The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data).
Permalink: https://github.com/advisories/GHSA-599h-8wpj-75xjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5OWgtOHdwai03NXhq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-599h-8wpj-75xj, CVE-2021-23365
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23365
- https://github.com/TykTechnologies/tyk-identity-broker/pull/147
- https://github.com/TykTechnologies/tyk-identity-broker/commit/243092965b0f93a95a14cb882b5b9a3df61dd5c0
- https://github.com/TykTechnologies/tyk-identity-broker/commit/46f70420e0911e4e8b638575e29d394c227c75d0
- https://github.com/TykTechnologies/tyk-identity-broker/releases/tag/v1.1.1
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTYKTECHNOLOGIESTYKIDENTITYBROKER-1089720
- https://github.com/advisories/GHSA-599h-8wpj-75xj
Blast Radius: 1.0
Affected Packages
go:github.com/tyktechnologies/tyk-identity-broker
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 1.0.0, 1.1.0
All unaffected versions: 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1