Clever saml2-js 2.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
References
Link | Resource |
---|---|
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations | Exploit Technical Description Third Party Advisory |
https://www.kb.cert.org/vuls/id/475445 | Third Party Advisory US Government Resource |
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations | Exploit Technical Description Third Party Advisory |
https://www.kb.cert.org/vuls/id/475445 | Third Party Advisory US Government Resource |
Configurations
History
21 Nov 2024, 03:07
Type | Values Removed | Values Added |
---|---|---|
References | () https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - Exploit, Technical Description, Third Party Advisory | |
References | () https://www.kb.cert.org/vuls/id/475445 - Third Party Advisory, US Government Resource | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 7.7 |
Information
Published : 2019-04-17 14:29
Updated : 2024-11-21 03:07
NVD link : CVE-2017-11429
Mitre link : CVE-2017-11429
CVE.ORG link : CVE-2017-11429
JSON object : View
Products Affected
clever
- saml2-js
CWE
CWE-287
Improper Authentication