Improper Verification of Signature Affecting samlify package, versions <2.4.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Verification of Signature vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-SAMLIFY-72614
  • published15 Nov 2018
  • disclosed23 May 2018
  • creditErlend Oftedal

Introduced: 23 May 2018

CVE NOT AVAILABLE CWE-91  (opens in a new tab)

How to fix?

Upgrade samlify to version 2.4.0 or higher.

Overview

samlify is a Highly configuarable Node.js SAML 2.0 library for Single Sign On.

Affected versions of this package are vulnerable to Improper Verification of Signature. An attacker could potentially wrap the signature of a SAML response, and insert a new username in the original token, making it appear as though a different user was authenticated.

CVSS Scores

version 3.1