CVE-2020-5268

{"id": "CVE-2020-5268", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}]}, "published": "2020-04-21T17:15:13.053", "references": [{"url": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Sustainsys/Saml2/issues/712", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.nuget.org/packages/Sustainsys.Saml2/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/Sustainsys/Saml2/issues/712", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw", "tags": ["Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.nuget.org/packages/Sustainsys.Saml2/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-303"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0."}, {"lang": "es", "value": "En Saml2 Authentication Services para las versiones ASP.NET en versiones anteriores a la 1.0.2, y entre 2.0.0 y 2.6.0, existe una vulnerabilidad en la forma en que se validan los tokens en algunos casos. Los tokens Saml2 generalmente se usan como token de portador: se supone que una persona que llama que presenta un token es el sujeto del token. Tambi\u00e9n hay soporte en el protocolo Saml2 para emitir tokens vinculados a un sujeto a trav\u00e9s de otros medios, p. titular de la clave donde debe demostrarse la posesi\u00f3n de una clave privada. La biblioteca Sustainsys.Saml2 trata incorrectamente todos los tokens entrantes como tokens de portador, aunque tengan otro m\u00e9todo de confirmaci\u00f3n de sujeto especificado. Esto podr\u00eda ser utilizado por un atacante que podr\u00eda obtener acceso a los tokens Saml2 con otro m\u00e9todo de confirmaci\u00f3n de sujeto que el portador. El atacante podr\u00eda usar ese token para crear una sesi\u00f3n de inicio de sesi\u00f3n. Esta vulnerabilidad est\u00e1 parcheada en las versiones 1.0.2 y 2.7.0."}], "lastModified": "2024-11-21T05:33:48.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sustainsys:saml2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E920AE48-2FCB-479F-AA28-CD7AA3B548AD", "versionEndExcluding": "1.0.2"}, {"criteria": "cpe:2.3:a:sustainsys:saml2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DDDAA6B-BAB1-4BAA-97C8-65A2F3F9244C", "versionEndExcluding": "2.7.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}