CVE-2022-41912 — Improper Authentication in Saml

CWE-287 — Improper Authentication CWE-347 — Improper Verification of Cryptographic Signature7 documents5 sources

Severity

9.8CRITICALNVD

CNA9.1

EPSS

0.3%

top 49.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Crewjam Saml Github.com Crewjam Saml Saml Project Saml

Timeline

PublishedNov 28

Latest updateNov 29

Description

The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5crewjam/saml< 0.4.9

▶Gogithub.com/crewjam_saml< 0.4.9

▶NVDsaml_project/saml< 0.4.9

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Authentication bypass in github.com/crewjam/saml↗2022-11-29

▶

GHSA

crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication↗2022-11-29

▶

OSV

crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication↗2022-11-29

▶

CVEList

crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements↗2022-11-28

▶

OSV

CVE-2022-41912: The crewjam/saml go library prior to version 0↗2022-11-28

▶

📋Vendor Advisories

Red Hat

crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements↗2022-11-28

▶