OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
References
Link | Resource |
---|---|
https://www.kb.cert.org/vuls/id/475445 | US Government Resource Third Party Advisory |
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations | Exploit Technical Description Third Party Advisory |
Configurations
Information
Published : 2019-04-17 07:29
Updated : 2019-10-09 16:22
NVD link : CVE-2017-11427
Mitre link : CVE-2017-11427
JSON object : View
CWE
CWE-287
Improper Authentication
Products Affected
onelogin
- pythonsaml