Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mY3AtMzR4dy1wNTd4

Authentication Bypass in saml2-js

Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely.

Recommendation

Upgrade to version 2.0.5 or later.

Permalink: https://github.com/advisories/GHSA-mfcp-34xw-p57x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mY3AtMzR4dy1wNTd4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago


CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-mfcp-34xw-p57x
References: Repository: https://github.com/Clever/saml2
Blast Radius: 23.4

Affected Packages

npm:saml2-js
Dependent packages: 23
Dependent repositories: 2,769
Downloads: 514,344 last month
Affected Version Ranges: < 2.0.5
Fixed in: 2.0.5
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.7, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3
All unaffected versions: 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 3.0.0, 3.0.1, 3.1.0, 4.0.0, 4.0.1, 4.0.2