CVE-2017-16897

HIGH

Auth0 passport-wsfed-saml2 <3.0.5 - Privilege Escalation

Title source: llm
STIX 2.1

Description

A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://auth0.com/docs/security/bulletins/cve-2017-16897

Scores

CVSS v3 8.1
EPSS 0.0114
EPSS Percentile 62.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-290
Status published
Products (2)
auth0/passport-wsfed-saml2 < 3.0.5
npm/passport-wsfed-saml2 0 - 3.0.5npm
Published Dec 27, 2017
Tracked Since Feb 18, 2026