CVE-2024-47832

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SSOReady versions prior to 7f92a06

Description The issue concerns XML signature bypass attacks. An attacker can exploit differential behavior between XML parsers to carry out signature bypass if they have access to certain IDP-signed messages. Users of the public hosted instance of SSOReady are unaffected. The vulnerability was discovered by a security researcher and its precise mechanism is not publicly disclosed to prevent potential attacks on other SAML implementations.

Recommendations To resolve the issue, upgrade to SSOReady version 7f92a06 or later by updating your SSOReady Docker images from sha-... to sha-7f92a06. There are no known workarounds for this vulnerability.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2024-47832

GHSA-J2HR-Q93X-GXVH

GO-2024-3185

OPENSUSE-SU-2024:0350-1

OPENSUSE-SU-2024:14447-1

OPENSUSE-SU-2024_3911-1

SUSE-SU-2024:3911-1

Affected Products

Ssoready

Suse

CVE-2024-47832

Weakness Enumeration

Related Identifiers

Affected Products

References · 77