CVE-2023-37471 – org.openidentityplatform.openam:openam-federation-library

Package

Manager: maven
Name: org.openidentityplatform.openam:openam-federation-library
Vulnerable Version: >=0 <14.7.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00749 pctl0.7221

Details

OpenAM vulnerable to user impersonation using SAMLv1.x SSO process ### Impact OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. ### Patches This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later ### Workarounds One should comment servlet `SAMLPOSTProfileServlet` in web.xml or disable SAML in OpenAM ```xml <servlet> <description>SAMLPOSTProfileServlet</description> <servlet-name>SAMLPOSTProfileServlet</servlet-name> <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class> </servlet> ... <servlet-mapping> <servlet-name>SAMLSOAPReceiver</servlet-name> <url-pattern>/SAMLSOAPReceiver</url-pattern> </servlet-mapping> ``` ### References #624

Metadata

Created: 2023-07-20T18:54:13Z
Modified: 2023-07-20T18:54:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4mh8-9wq6-rjxg/GHSA-4mh8-9wq6-rjxg.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-4mh8-9wq6-rjxg
Finding: F039
Auto approve: 1