cvelist/2022/41xxx/CVE-2022-41912.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-41912",
        "STATE": "PUBLIC",
        "TITLE": "crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "saml",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "< 0.4.9"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "crewjam"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version."
            }
        ]
    },
    "impact": {
        "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-287: Improper Authentication"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g",
                "refsource": "CONFIRM",
                "url": "https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g"
            },
            {
                "name": "https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b",
                "refsource": "MISC",
                "url": "https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b"
            },
            {
                "refsource": "MISC",
                "name": "http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html",
                "url": "http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html"
            }
        ]
    },
    "source": {
        "advisory": "GHSA-j2jp-wvqg-wc2g",
        "discovery": "UNKNOWN"
    }
}
"-Synchronized-Data." 2022-09-30 17:00:33 +00:00			`{`
			`"CVE_data_meta": {`
Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g 2022-11-28 14:25:10 +00:00			`"ASSIGNER": "security-advisories@github.com",`
"-Synchronized-Data." 2022-09-30 17:00:33 +00:00			`"ID": "CVE-2022-41912",`
Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g 2022-11-28 14:25:10 +00:00			`"STATE": "PUBLIC",`
			`"TITLE": "crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements"`
"-Synchronized-Data." 2022-09-30 17:00:33 +00:00			`},`
Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g 2022-11-28 14:25:10 +00:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "saml",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_value": "< 0.4.9"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "crewjam"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2022-09-30 17:00:33 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2022-11-28 15:00:37 +00:00			`"value": "The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version."`
Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g 2022-11-28 14:25:10 +00:00			`}`
			`]`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "NONE",`
			`"baseScore": 9.1,`
			`"baseSeverity": "CRITICAL",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"privilegesRequired": "NONE",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-287: Improper Authentication"`
			`}`
			`]`
"-Synchronized-Data." 2022-09-30 17:00:33 +00:00			`}`
			`]`
Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g 2022-11-28 14:25:10 +00:00			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g",`
			`"refsource": "CONFIRM",`
			`"url": "https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g"`
			`},`
			`{`
			`"name": "https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b",`
			`"refsource": "MISC",`
			`"url": "https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b"`
"-Synchronized-Data." 2023-01-02 18:00:36 +00:00			`},`
			`{`
			`"refsource": "MISC",`
			`"name": "http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html",`
			`"url": "http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html"`
Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g 2022-11-28 14:25:10 +00:00			`}`
			`]`
			`},`
			`"source": {`
			`"advisory": "GHSA-j2jp-wvqg-wc2g",`
			`"discovery": "UNKNOWN"`
"-Synchronized-Data." 2022-09-30 17:00:33 +00:00			`}`
			`}`