CVE-2017-11429

Name of the Vulnerable Software and Affected Versions saml2-js versions prior to 1.12.4 saml2-js versions prior to 2.0.2

Description The issue arises from the incorrect utilization of XML DOM traversal and canonicalization APIs, allowing an attacker to manipulate SAML data without invalidating its cryptographic signature. This could potentially bypass authentication to SAML service providers. Security Assertion Markup Language (SAML) is used for security assertions regarding authentication and permissions, commonly in single sign-on (SSO) services. Some XML DOM traversal and canonicalization APIs handle comments within XML nodes inconsistently, leading to incorrect parsing of inner text in XML nodes. As a result, any inner text after a comment is lost before the SAML message is cryptographically signed, and thus has no impact on the signature. A remote attacker can modify SAML content without invalidating the signature, potentially allowing them to bypass primary authentication.

Recommendations If you use version 1.x, upgrade to version 1.12.4 or greater. If you use version 2.x, upgrade to version 2.0.2 or greater.