CVE-2022-41912

critical

Description

The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.

References

Advisories

https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g

https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b

http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html

Details

Source: Mitre, NVD

Published: 2022-11-28

Updated: 2023-02-01

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00209