CVE-2017-16897

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-16897

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16897.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-16897

Aliases

GHSA-77fw-rf4v-vfp9

Published

2017-12-27T17:08:17Z

Modified

2024-09-02T23:49:01Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).

References

https://auth0.com/docs/security/bulletins/cve-2017-16897

Affected packages

Git / github.com/auth0/passport-wsfed-saml2

Affected ranges

Type: GIT
Repo: https://github.com/auth0/passport-wsfed-saml2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cc8d85e2dba45218e6d6afed9948c577f3669503