GHSA-599h-8wpj-75xj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-599h-8wpj-75xj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-599h-8wpj-75xj/GHSA-599h-8wpj-75xj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-599h-8wpj-75xj
- Aliases
- Published
- 2021-06-23T17:23:30Z
- Modified
- 2025-01-14T08:57:30.219893Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Authentication Bypass in tyk-identity-broker
- Details
-
The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data).
- Database specific
{ "nvd_published_at": "2021-04-26T10:15:00Z", "github_reviewed_at": "2021-05-20T21:24:49Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-287" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-23365
- https://github.com/TykTechnologies/tyk-identity-broker/pull/147
- https://github.com/TykTechnologies/tyk-identity-broker/commit/243092965b0f93a95a14cb882b5b9a3df61dd5c0
- https://github.com/TykTechnologies/tyk-identity-broker/commit/46f70420e0911e4e8b638575e29d394c227c75d0
- https://github.com/TykTechnologies/tyk-identity-broker/releases/tag/v1.1.1
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTYKTECHNOLOGIESTYKIDENTITYBROKER-1089720
Affected packages
Go / github.com/tyktechnologies/tyk-identity-broker
Package
- Name
- github.com/tyktechnologies/tyk-identity-broker
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/tyktechnologies/tyk-identity-broker