Description
Clever saml2-js 2.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Remediation
References
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
https://www.kb.cert.org/vuls/id/475445
Related Vulnerabilities
CVE-2021-41167 Vulnerability in npm package modern-async
CVE-2023-36106 Vulnerability in maven package tech.powerjob:powerjob
CVE-2020-10714 Vulnerability in maven package org.wildfly.security:wildfly-elytron
CVE-2019-12728 Vulnerability in maven package org.grails:grails-core
CVE-2021-25642 Vulnerability in maven package org.apache.hadoop:hadoop-yarn-server-resourcemanager