CVE-2021-39171
Unlimited transforms allowed for signed nodes
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. Prior to version 3.1.0, a malicious SAML payload can require transforms that consume significant system resources to process, thereby resulting in reduced or denied service. This would be an effective way to perform a denial-of-service attack. This has been resolved in version 3.1.0. The resolution is to limit the number of allowable transforms to 2.
Passport-SAML es un proveedor de autenticación SAML versión 2.0 para Passport, la biblioteca de autenticación de Node.js. Anterior a la versión 3.1.0, una carga útil SAML maliciosa puede requerir transformaciones que consumen recursos significativos del sistema para procesar, y por lo tanto, resultando en un servicio reducido o denegado. Esta sería una manera efectiva de llevar a cabo un ataque de denegación de servicio. Esto ha sido resuelto en versión 3.1.0. La resolución consiste en limitar el número de transformaciones permitidas a 2.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-16 CVE Reserved
- 2021-08-27 CVE Published
- 2024-05-12 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/node-saml/passport-saml/security/advisories/GHSA-5379-r78w-42h2 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/node-saml/passport-saml/pull/595 | 2021-09-07 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Passport-saml Project Search vendor "Passport-saml Project" | Passport-saml Search vendor "Passport-saml Project" for product "Passport-saml" | < 3.1.0 Search vendor "Passport-saml Project" for product "Passport-saml" and version " < 3.1.0" | node.js |
Affected
|