Description

Clever saml2-js 2.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Remediation

References

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

https://www.kb.cert.org/vuls/id/475445

Related Vulnerabilities

CVE-2021-26291 Vulnerability in maven package org.apache.maven:apache-maven

CVE-2023-38889 Vulnerability in maven package org.alluxio:alluxio-parent

CVE-2021-39234 Vulnerability in maven package org.apache.ozone:ozone-common

CVE-2016-0710 Vulnerability in maven package org.apache.portals.jetspeed-2:jetspeed-security

CVE-2022-23619 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web

Severity

Critical

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Technical Description Third Party Advisory US Government Resource