Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc2ajItY2gyNS01bW12

Missing Token Replay Detection in Saml2 Authentication services for ASP.NET

Impact

Token Replay Detection is an important defence in depth measure for Single Sign On solutions. In all previous 2.X versions, the Token Replay Detection is not properly implemented.

Note that version 1.0.1 is not affected. It has a correct Token Replay Implementation and is safe to use.

Patches

The 2.5.0 version is patched.

Workarounds

There are no workarounds with existing versions. Fixing the issue requires code updates.

References

https://en.wikipedia.org/wiki/Replay_attack

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-g6j2-ch25-5mmv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc2ajItY2gyNS01bW12
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 4 years ago
Updated: about 1 year ago


CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Identifiers: GHSA-g6j2-ch25-5mmv, CVE-2020-5261
References: Repository: https://github.com/Sustainsys/Saml2

Affected Packages

nuget:Sustainsys.Saml2
Dependent packages: 0
Dependent repositories: 0
Downloads: 6,277,464 total
Affected Version Ranges: >= 2.0.0, < 2.5.0
Fixed in: 2.5.0
All affected versions: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0
All unaffected versions: 0.23.0, 0.24.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.9.2