PT-2020-13197 · Fusionauth · Fusionauth

Published

2020-10-02

Updated

2021-04-30

CVE-2020-12676

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions FusionAuth fusionauth-samlv2 version 0.2.3

Description The issue allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, also known as a "Signature exclusion attack".

Recommendations For FusionAuth fusionauth-samlv2 version 0.2.3, consider implementing signature validation for SAML assertions to prevent signature exclusion attacks. As a temporary workaround, restrict access to sensitive resources that rely on SAML authentication until a patch is available.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2020-12676

Affected Products

Fusionauth

PT-2020-13197 · Fusionauth · Fusionauth

CVE-2020-12676

Weakness Enumeration

Related Identifiers

Affected Products

References · 9