GHSA-52jx-g6m5-h735

Source

https://github.com/advisories/GHSA-52jx-g6m5-h735

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-52jx-g6m5-h735/GHSA-52jx-g6m5-h735.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-52jx-g6m5-h735

Aliases

Published

2025-03-06T19:12:27Z

Modified

2025-03-14T20:32:17Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Fleet has SAML authentication vulnerability due to improper SAML response validation

Details

Impact

In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:

Forge authentication assertions, potentially impersonating legitimate users.
If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.
If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.

This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration.

Patches

This issue is addressed in commit fc96cc4 and is available in Fleet version 4.64.2.

The following backport versions also address this issue:

4.63.2
4.62.4
4.58.1
4.53.2

Workarounds

If an immediate upgrade is not possible, Fleet users should temporarily disable single-sign-on (SSO) and use password authentication.

Credit

Thank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our responsible disclosure process.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com
Join #fleet in osquery Slack

Database specific

{
    "nvd_published_at": "2025-03-06T19:15:27Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-74"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-06T19:12:27Z"
}

References