CVE-2022-39299
Signature bypass via multiple root elements in Passport-SAML
In short
Passport-SAML authentication can be bypassed by attackers who craft malicious SAML messages with multiple root elements, allowing them to gain unauthorized access without valid credentials.
Technical detail
The vulnerability exists in passport-saml's XML signature validation, where improper handling of documents with multiple root elements allows signature bypass attacks. An attacker with access to an IDP-signed XML element can craft a malicious SAML response that passes validation checks, potentially enabling unauthenticated access depending on IDP configuration.
Summary generated and translated by AI from the official description.
Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
node-saml · passport-samlWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →