How severe is CVE-2022-39300?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2022-39300?

This is classified as CWE-347, which is a common weakness in software security.

CVE-2022-39300 - HIGH Severity | CVSS 8.1

Vulnerability Description

node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to node-saml version 4.0.0-beta5 or newer. Disabling SAML authentication may be done as a workaround.

Related Vulnerabilities

CVE-2017-16852

HIGH

CVSS:8.1(High)

shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and do...

CWE-3472017

CVE-2017-16853

HIGH

CVSS:8.1(High)

The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and ...

CWE-3472017

CVE-2017-18122

HIGH

CVSS:8.1(High)

A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more tha...

CWE-3472017

CVE-2018-7711

HIGH

CVSS:8.1(High)

HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accep...

CWE-3472018

CVE-2021-3051

HIGH

CVSS:8.1(High)

An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR SAML authentication that enables an unauthenticated network-based attacker with specific knowledge of the Corte...

CWE-3472021

CVE-2022-23610

HIGH

CVSS:8.1(High)

wire-server provides back end services for Wire, an open source messenger. In versions of wire-server prior to the 2022-01-27 release, it was possible to craft DSA Signatures to bypass SAML SSO and im...

CWE-3472022