cve-2020-5268
Vulnerability from cvelistv5
Published
2020-04-21 15:30
Modified
2024-08-04 08:22
Severity ?
EPSS score ?
Summary
Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sustainsys/Saml2/issues/712 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw | Mitigation, Third Party Advisory | |
| security-advisories@github.com | https://www.nuget.org/packages/Sustainsys.Saml2/ | Third Party Advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Sustainsys | Saml2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sustainsys/Saml2/issues/712"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.nuget.org/packages/Sustainsys.Saml2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Saml2",
"vendor": "Sustainsys",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-23T20:01:38",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sustainsys/Saml2/issues/712"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nuget.org/packages/Sustainsys.Saml2/"
}
],
"source": {
"advisory": "GHSA-9475-xg6m-j7pw",
"discovery": "UNKNOWN"
},
"title": "Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5268",
"STATE": "PUBLIC",
"TITLE": "Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Saml2",
"version": {
"version_data": [
{
"version_value": "\u003c 1.0.2"
},
{
"version_value": "\u003e= 2.0.0, \u003c= 2.6.0"
}
]
}
}
]
},
"vendor_name": "Sustainsys"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-303: Incorrect Implementation of Authentication Algorithm"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241",
"refsource": "MISC",
"url": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241"
},
{
"name": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw",
"refsource": "CONFIRM",
"url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw"
},
{
"name": "https://github.com/Sustainsys/Saml2/issues/712",
"refsource": "MISC",
"url": "https://github.com/Sustainsys/Saml2/issues/712"
},
{
"name": "https://www.nuget.org/packages/Sustainsys.Saml2/",
"refsource": "MISC",
"url": "https://www.nuget.org/packages/Sustainsys.Saml2/"
}
]
},
"source": {
"advisory": "GHSA-9475-xg6m-j7pw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5268",
"datePublished": "2020-04-21T15:30:37",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-5268\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-04-21T17:15:13.053\",\"lastModified\":\"2020-05-06T17:26:40.847\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0.\"},{\"lang\":\"es\",\"value\":\"En Saml2 Authentication Services para las versiones ASP.NET en versiones anteriores a la 1.0.2, y entre 2.0.0 y 2.6.0, existe una vulnerabilidad en la forma en que se validan los tokens en algunos casos. Los tokens Saml2 generalmente se usan como token de portador: se supone que una persona que llama que presenta un token es el sujeto del token. Tambi\u00e9n hay soporte en el protocolo Saml2 para emitir tokens vinculados a un sujeto a trav\u00e9s de otros medios, p. titular de la clave donde debe demostrarse la posesi\u00f3n de una clave privada. La biblioteca Sustainsys.Saml2 trata incorrectamente todos los tokens entrantes como tokens de portador, aunque tengan otro m\u00e9todo de confirmaci\u00f3n de sujeto especificado. Esto podr\u00eda ser utilizado por un atacante que podr\u00eda obtener acceso a los tokens Saml2 con otro m\u00e9todo de confirmaci\u00f3n de sujeto que el portador. El atacante podr\u00eda usar ese token para crear una sesi\u00f3n de inicio de sesi\u00f3n. Esta vulnerabilidad est\u00e1 parcheada en las versiones 1.0.2 y 2.7.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.3,\"impactScore\":4.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.9},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-303\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sustainsys:saml2:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0.2\",\"matchCriteriaId\":\"E920AE48-2FCB-479F-AA28-CD7AA3B548AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sustainsys:saml2:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.7.0\",\"matchCriteriaId\":\"0DDDAA6B-BAB1-4BAA-97C8-65A2F3F9244C\"}]}]}],\"references\":[{\"url\":\"https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sustainsys/Saml2/issues/712\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.nuget.org/packages/Sustainsys.Saml2/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.