IDPs that do not support signing (e.g. IronSAML) may sign messages using Iron SAML. If a remote attacker is able to obtain an arbitrary signed element, they could present it to a victim user when visiting a malicious website. An arbitrary signed X.509 may be used as an arbitrary signed SAML Response, where the signed assertion is used as the claim for the access_token. This vulnerability allows remote attackers to hijack the identity of a victim and provide access to resources on the SAML server. It should be noted that user-provided data is not sanitized in any way. It is up to the SAMS software to ensure that the data is actually signed by a trusted authority. This vulnerability allows an attacker to sign arbitrary data and send it to the SAML server as an assertion. The arbitrary data could contain an arbitrary X.509 signed by an arbitrary authority, which the SAML server would validate, thereby allowing the attacker to extract an access_token. Additionally, the attacker could send arbitrary data that is signed by an arbitrary authority and hosted on a website. This data could be used as a signed SAML Response, where this data is validated as the assertion. If the data is signed using an arbitrary authority, the attacker could then use the X.509 and signed data to extract an access_token. This vulnerability affects all versions of node-saml prior to 4.0.0-beta5. Users are advised to upgrade to node
Vulnerability Summary
If a remote attacker is able to obtain an arbitrary signed element, they could present it to a victim user when visiting a malicious website. An arbitrary signed X.509 may be used as an arbitrary signed SAML Response, where the signed assertion is used as the claim for the access_token. This vulnerability allows remote attackers to hijack the identity of a victim and provide access to resources on the SAML server. It should be noted that user-provided data is not sanitized in any way. It is up to the SAMS software to ensure that the data is actually signed by a trusted authority. This vulnerability allows an attacker to sign arbitrary data and send it to the SAML server as an assertion. The arbitrary data could contain an arbitrary X.509 signed by an arbitrary authority, which the SAML server would validate, thereby allowing the attacker to extract an access_token. Additionally, the attacker could send arbitrary data that is signed by an arbitrary authority and hosted on a website. This data could be used as a signed SAML Response, where this data is validated as the assertion. If the data is signed using an arbitrary authority, the attacker could then use the X.509 and signed data to extract an access_token.
Coordinated Vulnerability Disclosure Timeline
CVE-2018-14577 was disclosed to npm on 2018-01-23
CVE-2019-6574 was disclosed to npm on 2019-02-08
CVE-2019-6575 was disclosed to npm on 2019-02-13
CVE-2019-6576 was disclosed to nodejs/nodejs on 2019 -02 -14
CVE-2019 -6507 was disclosed to contributor of node.js/nodejs on 2019 -02 -14
CVE ID: CVE ids: CVE ids: CVE ids: CVE ids: CVE ids: CVE ids: CVE ids: CVE ids: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168
CVSS Scores
CVSS Base Score: 8.8
CVSS Temporal Score: 8.3
CVSS Environmental Score: 7.2
The exploitability score is a measure of the complexity of exploiting a vulnerability and the potential damage to be done by exploitation (in other words, the more exploit possibilities, the higher the score). The less complex an exploit, the lower its score.
CVSS Exploitability Index: ? This vulnerability has no exploit code available.
Timeline
Published on: 10/13/2022 22:15:00 UTC
Last modified on: 10/14/2022 13:16:00 UTC