CVE-2021-23365

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-23365

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23365.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-23365

Aliases

Related

SNYK-GOLANG-GITHUBCOMTYKTECHNOLOGIESTYKIDENTITYBROKER-1089720

Published

2021-04-26T10:15:12Z

Modified

2025-01-15T01:48:02.313940Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data).

References

Affected packages

Git / github.com/tyktechnologies/tyk-identity-broker

Affected ranges

Type: GIT
Repo: https://github.com/tyktechnologies/tyk-identity-broker
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

243092965b0f93a95a14cb882b5b9a3df61dd5c0

Fixed

243092965b0f93a95a14cb882b5b9a3df61dd5c0

Fixed

46f70420e0911e4e8b638575e29d394c227c75d0

Fixed

46f70420e0911e4e8b638575e29d394c227c75d0

Affected versions

v0.*

v0.1

v0.2

v0.2.1

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.6.1

v0.7.0

v0.7.1

v1.*

v1.0.0

v1.0.0-rc1