CVE-2018-1000165

EUVD-2022-5353
LightSAML version prior to 1.3.5 contains a Incorrect Access Control vulnerability in signature validation in readers in src/LightSaml/Model/XmlDSig/ that can result in impersonation of any user from Identity Provider. This vulnerability appears to have been fixed in 1.3.5 and later.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
lightsamllightsaml
𝑥
< 1.3.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/lightSAML/lightSAML/commit/47cef07bb09779df15620799f3763d1b8d32307a
https://github.com/lightSAML/lightSAML/releases/tag/1.3.5
https://github.com/lightSAML/lightSAML/commit/47cef07bb09779df15620799f3763d1b8d32307a
https://github.com/lightSAML/lightSAML/releases/tag/1.3.5