CVE-2020-5268
Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0.
En Saml2 Authentication Services para las versiones ASP.NET en versiones anteriores a la 1.0.2, y entre 2.0.0 y 2.6.0, existe una vulnerabilidad en la forma en que se validan los tokens en algunos casos. Los tokens Saml2 generalmente se usan como token de portador: se supone que una persona que llama que presenta un token es el sujeto del token. También hay soporte en el protocolo Saml2 para emitir tokens vinculados a un sujeto a través de otros medios, p. titular de la clave donde debe demostrarse la posesión de una clave privada. La biblioteca Sustainsys.Saml2 trata incorrectamente todos los tokens entrantes como tokens de portador, aunque tengan otro método de confirmación de sujeto especificado. Esto podría ser utilizado por un atacante que podría obtener acceso a los tokens Saml2 con otro método de confirmación de sujeto que el portador. El atacante podría usar ese token para crear una sesión de inicio de sesión. Esta vulnerabilidad está parcheada en las versiones 1.0.2 y 2.7.0.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-02 CVE Reserved
- 2020-04-21 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-303: Incorrect Implementation of Authentication Algorithm
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://github.com/Sustainsys/Saml2/issues/712 | Third Party Advisory | |
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw | Mitigation | |
https://www.nuget.org/packages/Sustainsys.Saml2 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241 | 2020-05-06 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Sustainsys Search vendor "Sustainsys" | Saml2 Search vendor "Sustainsys" for product "Saml2" | < 1.0.2 Search vendor "Sustainsys" for product "Saml2" and version " < 1.0.2" | - |
Affected
| ||||||
Sustainsys Search vendor "Sustainsys" | Saml2 Search vendor "Sustainsys" for product "Saml2" | >= 2.0.0 < 2.7.0 Search vendor "Sustainsys" for product "Saml2" and version " >= 2.0.0 < 2.7.0" | - |
Affected
|