GMS-2020-769: Authentication Bypass in saml2-js

September 3, 2020 (updated September 29, 2021)

Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely.

Recommendation

Upgrade to version 2.0.5 or later.

References

github.com/Clever/saml2/commit/ae0da4d0a0ea682a737be481e3bd78798be405c0
github.com/Clever/saml2/pull/190
github.com/advisories/GHSA-mfcp-34xw-p57x
snyk.io/vuln/SNYK-JS-SAML2JS-474637
www.npmjs.com/advisories/1222

Code Behaviors & Features

Detect and mitigate GMS-2020-769 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →