GHSA-5379-r78w-42h2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5379-r78w-42h2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-5379-r78w-42h2/GHSA-5379-r78w-42h2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5379-r78w-42h2
- Aliases
- Related
- Published
- 2021-08-30T16:11:57Z
- Modified
- 2024-02-10T00:55:45Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Unlimited transforms allowed for signed nodes
- Details
-
Impact
A malicious SAML payload can require transforms that consume significant system resources to process, thereby resulting in reduced or denied service. This would be an effective way to perform a denial-of-service attack.
Patches
This has been resolved in version 3.1.0. The resolution is to limit the number of allowable transforms to 2.
References
https://github.com/node-saml/passport-saml/pull/595
- Database specific
{ "nvd_published_at": "2021-08-27T22:15:00Z", "cwe_ids": [ "CWE-400" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-08-27T23:25:28Z" }- References
-
- https://github.com/node-saml/passport-saml/security/advisories/GHSA-5379-r78w-42h2
- https://nvd.nist.gov/vuln/detail/CVE-2021-39171
- https://github.com/node-saml/passport-saml/pull/595
- https://github.com/node-saml/passport-saml/commit/f1e00b64c21a725f545e675cd810bbaa435a3972
- https://github.com/node-saml/passport-saml
Affected packages
npm / passport-saml
Package
- Name
- passport-saml
- View open source insights on deps.dev
- Purl
- pkg:npm/passport-saml