PT-2024-18262 · Unknown · Armeria-Saml

Lishiki

Published

2024-02-26

Updated

2025-03-29

CVE-2024-1735

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions armeria-saml versions less than 1.27.2

Description A vulnerability has been identified, allowing the use of malicious SAML messages to bypass authentication. The SAML implementation provided by armeria-saml currently accepts unsigned SAML messages as they are, rather than rejecting them by default. As a result, an attacker can forge a SAML message to authenticate themselves, despite the fact that such an unsigned SAML message should be rejected.

Recommendations For armeria-saml versions less than 1.27.2, upgrade to 1.27.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of armeria-saml until a patch is applied. There is no known workaround for this vulnerability.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-304

Related Identifiers

CVE-2024-1735

GHSA-4M6J-23P2-8C54

Affected Products

Armeria-Saml

PT-2024-18262 · Unknown · Armeria-Saml

CVE-2024-1735

Weakness Enumeration

Related Identifiers

Affected Products

References · 13