GHSA-7fpw-cfc4-3p2c

Suggest an improvement
Source
https://github.com/advisories/GHSA-7fpw-cfc4-3p2c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/12/GHSA-7fpw-cfc4-3p2c/GHSA-7fpw-cfc4-3p2c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7fpw-cfc4-3p2c
Withdrawn
2023-06-21T22:00:08Z
Published
2017-12-28T22:51:45Z
Modified
2023-06-21T22:00:08Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Duplicate advisory: High severity vulnerability that affects passport-wsfed-saml2
Details

Duplicate advisory

This advisory has been withdrawn because it is a duplicate of GHSA-77fw-rf4v-vfp9. This link is maintained to preserve external references.

Original Description

A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:22:38Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-290"
    ]
}
References

Affected packages

npm / passport-wsfed-saml2

Package

Name
passport-wsfed-saml2
View open source insights on deps.dev
Purl
pkg:npm/passport-wsfed-saml2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/12/GHSA-7fpw-cfc4-3p2c/GHSA-7fpw-cfc4-3p2c.json"