CVE-2022-26493

Xecurify's miniOrange Premium, Standard, and Enterprise Drupal SAML SP modules possess an authentication and authorization bypass vulnerability. An attacker with access to a HTTP-request intercepting method is able to bypass authentication and authorization by removing the SAML Assertion Signature - impersonating existing users and existing roles, including administrative users/roles. This vulnerability is not mitigated by configuring the module to enforce signatures or certificate checks. Xecurify recommends updating miniOrange modules to their most recent versions. This vulnerability is present in paid versions of the miniOrange Drupal SAML SP product affecting Drupal 7, 8, and 9.

CVSS v3 9.8 CRITICAL
CVSS v2.0 6.5 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://rafarmerjr1.github.io/2022/06/13/SAML-miniOrange.html
https://rafarmerjr1.github.io/2022/06/13/SAML-miniOrange.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:saml_sp_2.0_single_sign_on::::::::
	cpe:2.3:a:drupal:saml_sp_2.0_single_sign_on::::::::

History

21 Nov 2024, 06:54

Type	Values Removed	Values Added
CVSS	v2 : ~~6.5~~ v3 : ~~8.8~~	v2 : 6.5 v3 : 9.8
References	~~() https://rafarmerjr1.github.io/2022/06/13/SAML-miniOrange.html -~~	() https://rafarmerjr1.github.io/2022/06/13/SAML-miniOrange.html -

Information

Published : 2022-06-03 18:15

Updated : 2024-11-21 06:54

NVD link : CVE-2022-26493

Mitre link : CVE-2022-26493

CVE.ORG link : CVE-2022-26493

JSON object : View

Products Affected

drupal

saml_sp_2.0_single_sign_on

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2022-26493", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "mlhess@drupal.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-06-03T18:15:09.207", "references": [{"url": "https://rafarmerjr1.github.io/2022/06/13/SAML-miniOrange.html", "source": "mlhess@drupal.org"}, {"url": "https://rafarmerjr1.github.io/2022/06/13/SAML-miniOrange.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Xecurify's miniOrange Premium, Standard, and Enterprise Drupal SAML SP modules possess an authentication and authorization bypass vulnerability. An attacker with access to a HTTP-request intercepting method is able to bypass authentication and authorization by removing the SAML Assertion Signature - impersonating existing users and existing roles, including administrative users/roles. This vulnerability is not mitigated by configuring the module to enforce signatures or certificate checks. Xecurify recommends updating miniOrange modules to their most recent versions. This vulnerability is present in paid versions of the miniOrange Drupal SAML SP product affecting Drupal 7, 8, and 9."}, {"lang": "es", "value": "Los m\u00f3dulos miniOrange Premium, Standard y Enterprise Drupal SAML SP de Xecurify poseen una vulnerabilidad en la autenticaci\u00f3n y autorizaci\u00f3n. Un atacante con acceso a un m\u00e9todo de interceptaci\u00f3n de peticiones HTTP es capaz de saltarse la autenticaci\u00f3n y la autorizaci\u00f3n eliminando la firma de aserci\u00f3n SAML, suplantando a los usuarios y roles existentes, incluidos los usuarios/roles administrativos. Esta vulnerabilidad no se mitiga configurando el m\u00f3dulo para reforzar las firmas o las comprobaciones de certificados. Xecurify recomienda actualizar los m\u00f3dulos de miniOrange a sus versiones m\u00e1s recientes. Esta vulnerabilidad est\u00e1 presente en las versiones de pago del producto miniOrange Drupal SAML SP que afecta a Drupal 7, 8 y 9"}], "lastModified": "2024-11-21T06:54:03.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:saml_sp_2.0_single_sign_on:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8F4331D-5CC0-4992-B46D-6504ACCD803D", "versionEndIncluding": "7.x-2.57", "versionStartIncluding": "7.x"}, {"criteria": "cpe:2.3:a:drupal:saml_sp_2.0_single_sign_on:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC5A17E2-1CB0-4193-9558-8E384568F4BF", "versionEndIncluding": "8.x-2.24", "versionStartIncluding": "8.x"}], "operator": "OR"}]}], "sourceIdentifier": "mlhess@drupal.org"}