<p>Upgrade <code>samlify</code> to version 2.4.0 or higher.</p>

Improper Verification of Signature Affecting samlify package, versions <2.4.0

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-SAMLIFY-72614
published 15 Nov 2018
disclosed 23 May 2018
credit Erlend Oftedal

Report a new vulnerability Found a mistake?

Introduced: 23 May 2018

CWE-91 Open this link in a new tab

How to fix?

Upgrade samlify to version 2.4.0 or higher.

Overview

samlify is a Highly configuarable Node.js SAML 2.0 library for Single Sign On.

Affected versions of this package are vulnerable to Improper Verification of Signature. An attacker could potentially wrap the signature of a SAML response, and insert a new username in the original token, making it appear as though a different user was authenticated.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

High
Privileges Required (PR)

Low
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High

Improper Verification of Signature Affecting samlify package, versions <2.4.0

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 23 May 2018

How to fix?

Overview

References

CVSS Scores

Snyk