CVE-2020-5268

In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0.

CVSS v3 7.3 HIGH
CVSS v2.0 4.9 MEDIUM

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:N

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241	Patch Third Party Advisory
https://github.com/Sustainsys/Saml2/issues/712	Third Party Advisory
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw	Mitigation Third Party Advisory
https://www.nuget.org/packages/Sustainsys.Saml2/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sustainsys:saml2::::::::
	cpe:2.3:a:sustainsys:saml2::::::::

History

No history.

Information

Published : 2020-04-21 17:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-5268

Mitre link : CVE-2020-5268

CVE.ORG link : CVE-2020-5268

JSON object : View

Products Affected

sustainsys

saml2

CWE

CWE-287

Improper Authentication

CWE-303

Incorrect Implementation of Authentication Algorithm

{"id": "CVE-2020-5268", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 1.3}]}, "published": "2020-04-21T17:15:13.053", "references": [{"url": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Sustainsys/Saml2/issues/712", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.nuget.org/packages/Sustainsys.Saml2/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-303"}]}], "descriptions": [{"lang": "en", "value": "In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0."}, {"lang": "es", "value": "En Saml2 Authentication Services para las versiones ASP.NET en versiones anteriores a la 1.0.2, y entre 2.0.0 y 2.6.0, existe una vulnerabilidad en la forma en que se validan los tokens en algunos casos. Los tokens Saml2 generalmente se usan como token de portador: se supone que una persona que llama que presenta un token es el sujeto del token. Tambi\u00e9n hay soporte en el protocolo Saml2 para emitir tokens vinculados a un sujeto a trav\u00e9s de otros medios, p. titular de la clave donde debe demostrarse la posesi\u00f3n de una clave privada. La biblioteca Sustainsys.Saml2 trata incorrectamente todos los tokens entrantes como tokens de portador, aunque tengan otro m\u00e9todo de confirmaci\u00f3n de sujeto especificado. Esto podr\u00eda ser utilizado por un atacante que podr\u00eda obtener acceso a los tokens Saml2 con otro m\u00e9todo de confirmaci\u00f3n de sujeto que el portador. El atacante podr\u00eda usar ese token para crear una sesi\u00f3n de inicio de sesi\u00f3n. Esta vulnerabilidad est\u00e1 parcheada en las versiones 1.0.2 y 2.7.0."}], "lastModified": "2020-05-06T17:26:40.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sustainsys:saml2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E920AE48-2FCB-479F-AA28-CD7AA3B548AD", "versionEndExcluding": "1.0.2"}, {"criteria": "cpe:2.3:a:sustainsys:saml2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DDDAA6B-BAB1-4BAA-97C8-65A2F3F9244C", "versionEndExcluding": "2.7.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}