Description
Wizkunde SAMLBase may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/475445
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/GoGentoOSS/SAMLBase/issues/3
Patch, Third Party Advisory x_refsource_confirm
https://github.com/GoGentoOSS/SAMLBase/commit/482cdf8c090e0f1179073034ebcb609ac7c3f5b3
Scores
CVSS v3
7.5
EPSS
0.0166
EPSS Percentile
73.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-287
CWE-347
Status
published
Products (2)
gogentooss/samlbase
0 - 1.2.7Packagist
wizkunde/samlbase
< 1.4.2
Published
Jul 24, 2018
Tracked Since
Feb 18, 2026