MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mY3AtMzR4dy1wNTd4

Moderate

Permalink JSON

Authentication Bypass in saml2-js

Affected Packages	Affected Versions	Fixed Versions
npm:saml2-js PURL: `pkg:npm/saml2-js`	< 2.0.5	2.0.5
23 Dependent packages 2,769 Dependent repositories 510,928 Downloads last month Affected Version Ranges All affected versions 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.7, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3 All unaffected versions 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 3.0.0, 3.0.1, 3.1.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4

Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely.

Recommendation

Upgrade to version 2.0.5 or later.

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mY3AtMzR4dy1wNTd4

Authentication Bypass in saml2-js

Affected Version Ranges

All affected versions

All unaffected versions

Recommendation

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API