CVE-2018-5387

Wizkunde SAMLBase may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
wizkundesamlbase
𝑥
< 1.4.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
https://github.com/GoGentoOSS/SAMLBase/commit/482cdf8c090e0f1179073034ebcb609ac7c3f5b3
https://github.com/GoGentoOSS/SAMLBase/issues/3
https://www.kb.cert.org/vuls/id/475445
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
https://github.com/GoGentoOSS/SAMLBase/commit/482cdf8c090e0f1179073034ebcb609ac7c3f5b3
https://github.com/GoGentoOSS/SAMLBase/issues/3
https://www.kb.cert.org/vuls/id/475445