Description

Clever saml2-js 2.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Remediation

References

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

https://www.kb.cert.org/vuls/id/475445

Related Vulnerabilities

CVE-2021-41167 Vulnerability in npm package modern-async

CVE-2023-36106 Vulnerability in maven package tech.powerjob:powerjob

CVE-2020-10714 Vulnerability in maven package org.wildfly.security:wildfly-elytron

CVE-2019-12728 Vulnerability in maven package org.grails:grails-core

CVE-2021-25642 Vulnerability in maven package org.apache.hadoop:hadoop-yarn-server-resourcemanager

Severity

Critical

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Technical Description Third Party Advisory US Government Resource