CVE-2020-5261 – sustainsys.saml2

Package

Manager: nuget
Name: sustainsys.saml2
Vulnerable Version: >=2.0.0 <2.5.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00285 pctl0.51623

Details

Missing Token Replay Detection in Saml2 Authentication services for ASP.NET ### Impact Token Replay Detection is an important defence in depth measure for Single Sign On solutions. In all previous 2.X versions, the Token Replay Detection is not properly implemented. Note that version 1.0.1 is not affected. It has a correct Token Replay Implementation and is safe to use. ### Patches The 2.5.0 version is patched. ### Workarounds There are no workarounds with existing versions. Fixing the issue requires code updates. ### References https://en.wikipedia.org/wiki/Replay_attack ### For more information If you have any questions or comments about this advisory: * Comment on #711. * Email us at [security@sustainsys.com](mailto:security@susatinsys.com) if you think that there are further security issues.

Metadata

Created: 2020-03-25T16:52:49Z
Modified: 2021-01-08T20:24:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-g6j2-ch25-5mmv/GHSA-g6j2-ch25-5mmv.json
CWE IDs: ["CWE-294"]
Alternative ID: GHSA-g6j2-ch25-5mmv
Finding: F115
Auto approve: 1