GHSA-mfcp-34xw-p57x – saml2-js

Package

Manager: npm
Name: saml2-js
Vulnerable Version: >=0 <2.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Authentication Bypass in saml2-js Versions of `saml2-js` prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely. ## Recommendation Upgrade to version 2.0.5 or later.

Metadata

Created: 2020-09-03T21:20:52Z
Modified: 2021-09-29T20:12:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-mfcp-34xw-p57x/GHSA-mfcp-34xw-p57x.json
CWE IDs: ["CWE-287"]
Alternative ID: N/A
Finding: F006
Auto approve: 1