CVE-2018-1000165

LightSAML version prior to 1.3.5 contains a Incorrect Access Control vulnerability in signature validation in readers in src/LightSaml/Model/XmlDSig/ that can result in impersonation of any user from Identity Provider. This vulnerability appears to have been fixed in 1.3.5 and later.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
lightsamllightsaml
𝑥
< 1.3.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/lightSAML/lightSAML/commit/47cef07bb09779df15620799f3763d1b8d32307a
https://github.com/lightSAML/lightSAML/releases/tag/1.3.5
https://github.com/lightSAML/lightSAML/commit/47cef07bb09779df15620799f3763d1b8d32307a
https://github.com/lightSAML/lightSAML/releases/tag/1.3.5