CVE-2017-16897

Name of the Vulnerable Software and Affected Versions Auth0 passport-wsfed-saml2 versions prior to 3.0.5

Description A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library, allowing an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response. This issue arises when the SAML identity provider either signs the SAML response and the assertion within it, or does not sign the SAML response but signs the assertion.

Recommendations To fix this vulnerability, upgrade the Auth0 passport-wsfed-saml2 library to version 3.0.5 or above. This fix patches the library without impacting users, their current state, or existing sessions.