FKIE_CVE-2025-24895

Vulnerability from fkie_nvd - Published: 2025-02-18 19:15 - Updated: 2025-02-18 19:15
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
CIE.AspNetCore.Authentication is an AspNetCore Remote Authenticator for CIE 3.0. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: 1. Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; 2. Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The library cie-aspnetcore refers to the second entity, the SP, and implements the validation logic of SAML assertions within SAML responses. In affected versions there is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP's public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This issue has been addressed in version 2.1.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CIE.AspNetCore.Authentication is an AspNetCore Remote Authenticator for CIE 3.0. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: 1. Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; 2. Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The library cie-aspnetcore refers to the second entity, the SP, and implements the validation logic of SAML assertions within SAML responses. In affected versions there is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP\u0027s public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This issue has been addressed in version 2.1.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "CIE.AspNetCore.Authentication es un Autenticador Remoto AspNetCore para CIE 3.0. La autenticaci\u00f3n mediante Spid y CIE se basa en el est\u00e1ndar SAML2 que proporciona dos entidades: 1. Proveedor de Identidad (IDP): el sistema que autentica a los usuarios y proporciona informaci\u00f3n de identidad (afirmaci\u00f3n SAML) al Proveedor de Servicios, en esencia, es responsable de la gesti\u00f3n de las credenciales e identidad de los usuarios; 2. Proveedor de Servicios (SP): el sistema que proporciona un servicio al usuario y se basa en el Proveedor de Identidad para autenticar al usuario, recibe aserciones SAML del IdP para otorgar acceso a los recursos. La librer\u00eda cie-aspnetcore hace referencia a la segunda entidad, el SP, e implementa la l\u00f3gica de validaci\u00f3n de aserciones SAML dentro de las respuestas SAML. En las versiones afectadas no hay garant\u00eda de que la primera firma se refiera al objeto ra\u00edz, se deduce que si un atacante inyecta un elemento firmado como primer elemento, todas las dem\u00e1s firmas no ser\u00e1n verificadas. El \u00fanico requisito es tener un elemento XML firmado leg\u00edtimamente por el IdP, una condici\u00f3n que se cumple f\u00e1cilmente utilizando los metadatos p\u00fablicos del IdP. Un atacante podr\u00eda crear una respuesta SAML arbitraria que ser\u00eda aceptada por los SP utilizando SDK vulnerables, lo que le permitir\u00eda hacerse pasar por cualquier usuario de Spid y/o CIE. Este problema se ha solucionado en la versi\u00f3n 2.1.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2025-24895",
  "lastModified": "2025-02-18T19:15:28.240",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-18T19:15:28.240",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.