Add CVE-2022-41912 for GHSA-j2jp-wvqg-wc2g

2025-06-10 02:04:31 +00:00 · 2022-11-28 14:25:10 +00:00 · 2022-11-28 14:25:10 +00:00 · 322d697300
commit 322d697300
parent 1ebfd90e73
1 changed files with 76 additions and 6 deletions
--- a/2022/41xxx/CVE-2022-41912.json
+++ b/2022/41xxx/CVE-2022-41912.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-41912",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "saml",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 0.4.9"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "crewjam"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.\n"
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 9.1,
+            "baseSeverity": "CRITICAL",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "NONE",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-287: Improper Authentication"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g"
+            },
+            {
+                "name": "https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b",
+                "refsource": "MISC",
+                "url": "https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-j2jp-wvqg-wc2g",
+        "discovery": "UNKNOWN"
    }
 }