Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmcHctY2ZjNC0zcDJj
Duplicate advisory: High severity vulnerability that affects passport-wsfed-saml2
Duplicate advisory
This advisory has been withdrawn because it is a duplicate of GHSA-77fw-rf4v-vfp9. This link is maintained to preserve external references.
Original Description
A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).
Permalink: https://github.com/advisories/GHSA-7fpw-cfc4-3p2cJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmcHctY2ZjNC0zcDJj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: 10 months ago Widthdrawn: 10 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-7fpw-cfc4-3p2c
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16897
- https://auth0.com/docs/security/bulletins/cve-2017-16897
- https://github.com/advisories/GHSA-7fpw-cfc4-3p2c
Affected Packages
npm:passport-wsfed-saml2
Dependent packages: 3Dependent repositories: 11
Downloads: 12,924 last month
Affected Version Ranges: < 3.0.5
Fixed in: 3.0.5
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.5.0, 0.6.0, 0.6.1, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.19.0, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.12.0, 2.13.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4
All unaffected versions: 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.6.3