Overview
This vulnerability allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP.
Am I Affected?
You are affected by this SAML Signature Wrapping vulnerability if you are using passport-wsfed-saml2 version 4.5.1 or below, specifically under the following conditions:
- The service provider is using
passport-wsfed-saml2,
- A valid SAML document signed by the Identity Provider can be obtained.
Fix
Upgrade to v4.6.4 or greater.
Overview
This vulnerability allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP.
Am I Affected?
You are affected by this SAML Signature Wrapping vulnerability if you are using
passport-wsfed-saml2version 4.5.1 or below, specifically under the following conditions:passport-wsfed-saml2,Fix
Upgrade to v4.6.4 or greater.