SCA: security update for Sustainsys.Saml2 (GHSA-fv2h-753j-9g39)

high Tenable Self-Hosted Container Security Plugin ID 414695

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2
Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the
Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a
Saml2 response that is processed as if issued by another identity provider. It is also possible for a
malicious end user to cause stored state intended for one identity provider to be used when processing the
response from another provider. An application is impacted if they rely on any of these features in their
authentication/authorization logic: the issuer of the generated identity and claims; or items in the
stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The
`AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched
packages is not possible. (CVE-2023-41890)

See Also

https://github.com/advisories/GHSA-fv2h-753j-9g39

Plugin Details

Severity: High

ID: 414695

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2023-41890

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/20/2023

Vulnerability Publication Date: 9/19/2023

Reference Information

CVE: CVE-2023-41890