CVE-2022-23505

Name of the Vulnerable Software and Affected Versions Passport-wsfed-saml2 versions prior to 4.6.3

Description A remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks might also be feasible if generation of a signed message can be triggered.

Recommendations Upgrade the library to version 4.6.3. As a temporary workaround, consider using SAML2 authentication instead of WSFed until the issue is resolved.