GHSA-4mh8-9wq6-rjxg

Suggest an improvement
Source
https://github.com/advisories/GHSA-4mh8-9wq6-rjxg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4mh8-9wq6-rjxg/GHSA-4mh8-9wq6-rjxg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4mh8-9wq6-rjxg
Aliases
Published
2023-07-20T18:54:13Z
Modified
2024-02-16T08:22:14.354653Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
OpenAM vulnerable to user impersonation using SAMLv1.x SSO process
Details

Impact

OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet.

Patches

This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later

Workarounds

One should comment servlet SAMLPOSTProfileServlet in web.xml or disable SAML in OpenAM

<servlet>
    <description>SAMLPOSTProfileServlet</description>
    <servlet-name>SAMLPOSTProfileServlet</servlet-name>
    <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class>
</servlet>
...
<servlet-mapping>
    <servlet-name>SAMLSOAPReceiver</servlet-name>
    <url-pattern>/SAMLSOAPReceiver</url-pattern>
</servlet-mapping>

References

624

References

Affected packages

Maven / org.openidentityplatform.openam:openam-federation-library

Package

Name
org.openidentityplatform.openam:openam-federation-library
View open source insights on deps.dev
Purl
pkg:maven/org.openidentityplatform.openam/openam-federation-library

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
14.7.3

Affected versions

14.*

14.5.2
14.5.3
14.5.4
14.6.1
14.6.2
14.6.3
14.6.4
14.6.5
14.6.6
14.7.0
14.7.1
14.7.2