CVE-2023-41890

Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider.
Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.

La librería Sustainsys.Saml2 agrega soporte SAML2P a los sitios web ASP.NET, lo que permite que el sitio web actúe como un Proveedor de Servicios SAML2. Antes de las versiones 1.0.3 y 2.9.2, cuando se procesa una respuesta, el emisor del Proveedor de Identidad no está suficientemente validado. Esto podría permitir que un proveedor de identidad malicioso cree una respuesta Saml2 que se procese como si fuera emitida por otro proveedor de identidad. También es posible que un usuario final maliciso haga que se utilice el estado almacenado destinado a un proveedor de identidad al procesar la respuesta de otro proveedor. Una aplicación se ve afectada si depende de cualquiera de estas características en su lógica de autenticación/autorización: el emisor de la identidad y los reclamos generados; o elementos en el estado de solicitud almacenado (AuthenticationProperties). Este problema se solucionó en las versiones 2.9.2 y 1.0.3. La notificación `AcsCommandResultCreated` se puede utilizar para agregar la validación requerida si no es posible actualizar los paquetes parcheados.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-09-04 CVE Reserved
2023-09-19 CVE Published
2024-08-02 CVE Updated
2024-08-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-289: Authentication Bypass by Alternate Name
CWE-294: Authentication Bypass by Capture-replay

CAPEC

References (3)

URL	Tag	Source
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/Sustainsys/Saml2/issues/712	2023-12-19
https://github.com/Sustainsys/Saml2/issues/713	2023-12-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sustainsys Search vendor "Sustainsys"		Saml2 Search vendor "Sustainsys" for product "Saml2"				< 1.0.3 Search vendor "Sustainsys" for product "Saml2" and version " < 1.0.3"		-		Affected
Sustainsys Search vendor "Sustainsys"		Saml2 Search vendor "Sustainsys" for product "Saml2"				>= 2.0.0 < 2.9.2 Search vendor "Sustainsys" for product "Saml2" and version " >= 2.0.0 < 2.9.2"		-		Affected