CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-28091 – lasso: XML signature wrapping vulnerability when parsing SAML responses
https://notcve.org/view.php?id=CVE-2021-28091
02 Jun 2021 — Lasso all versions prior to 2.7.0 has improper verification of a cryptographic signature. Lasso todas las versiones anteriores a versión 2.7.0, presentan una verificación inapropiada de una firma criptográfica An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is... • http://listes.entrouvert.com/arc/lasso • CWE-345: Insufficient Verification of Data Authenticity CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2015-1783
https://notcve.org/view.php?id=CVE-2015-1783
11 Aug 2017 — The prefix variable in the get_or_define_ns function in Lasso before commit 6d854cef4211cdcdbc7446c978f23ab859847cdd allows remote attackers to cause a denial of service (uninitialized memory access and application crash) via unspecified vectors. La variable prefex en la función get_or_define_ns en Lasso anterior a 6d854cef4211cdcdbc7446c978f23ab859847cdd permite que atacantes remotos provoquen una denegación de servicio (acceso a memoria no inicializada y bloqueo de aplicación) mediante vectores sin especi... • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154321.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2009-0050
https://notcve.org/view.php?id=CVE-2009-0050
07 Jan 2009 — Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. Lasso versión 2.2.1 y anteriores, no comprueba apropiadamente el valor devuelto de la función DSA_verify de OpenSSL, que permite a los atacantes remotos omitir la comprobación de la cadena de certificados mediante una firma de SSL/TLS malformada, una vulne... • http://www.ocert.org/advisories/ocert-2008-016.html • CWE-20: Improper Input Validation •