CVE-2021-23365 – github.com/tyktechnologies/tyk-identity-broker

Package

Manager: go
Name: github.com/tyktechnologies/tyk-identity-broker
Vulnerable Version: >=0 <1.1.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00366 pctl0.57844

Details

Authentication Bypass in tyk-identity-broker The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data).

Metadata

Created: 2021-06-23T17:23:30Z
Modified: 2021-05-20T21:24:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-599h-8wpj-75xj/GHSA-599h-8wpj-75xj.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-599h-8wpj-75xj
Finding: F006
Auto approve: 1