CVE-2020-5407

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.2.x prior to 5.2.4 Spring Security versions 5.3.x prior to 5.3.2

Description The issue is related to a signature wrapping vulnerability during SAML response validation in the spring-security-saml2-service-provider component. This allows a malicious user to modify an otherwise valid SAML response and append an arbitrary assertion that will be accepted as valid. The vulnerability can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For versions 5.2.x prior to 5.2.4, update to version 5.2.4 or later. For versions 5.3.x prior to 5.3.2, update to version 5.3.2 or later. As a temporary workaround, consider disabling the spring-security-saml2-service-provider component until a patch is available. Restrict access to the SAML response validation functionality to minimize the risk of exploitation. Avoid using the vulnerable component for critical authentication processes until the issue is resolved.