Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mY3AtMzR4dy1wNTd4
Authentication Bypass in saml2-js
Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely.
Recommendation
Upgrade to version 2.0.5 or later.
Permalink: https://github.com/advisories/GHSA-mfcp-34xw-p57xJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mY3AtMzR4dy1wNTd4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: almost 2 years ago
CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-mfcp-34xw-p57x
References:
- https://github.com/Clever/saml2/pull/190
- https://www.npmjs.com/advisories/1222
- https://github.com/Clever/saml2/commit/ae0da4d0a0ea682a737be481e3bd78798be405c0
- https://snyk.io/vuln/SNYK-JS-SAML2JS-474637
- https://github.com/advisories/GHSA-mfcp-34xw-p57x
Blast Radius: 23.4
Affected Packages
npm:saml2-js
Dependent packages: 23Dependent repositories: 2,769
Downloads: 324,509 last month
Affected Version Ranges: < 2.0.5
Fixed in: 2.0.5
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.7, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3
All unaffected versions: 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 3.0.0, 3.0.1, 3.1.0, 4.0.0, 4.0.1, 4.0.2