Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication
Vulnerability Description
Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
认证机制不恰当
Vulnerability Title
Passport-wsfed-saml2 安全漏洞
Vulnerability Description
Passport-wsfed-saml2是Auth0开源的一个令牌身份验证提供程序。 Passport-wsfed-saml2 4.6.2及之前版本存在安全漏洞,攻击者利用该漏洞可以使用 passport-wsfed-saml2 绕过网站上的 WSFed 身份验证。
CVSS Information
N/A
Vulnerability Type
N/A