Vulnerability Details : CVE-2017-1000452
An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and earlier, and in predecessor Express-saml2 which could allow attackers to impersonate arbitrary users.
Products affected by CVE-2017-1000452
- cpe:2.3:a:samlify_project:samlify:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-1000452
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-1000452
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
NIST |
CWE ids for CVE-2017-1000452
-
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-1000452
-
https://github.com/tngan/samlify/releases/tag/v2.3.0
Release v2.3.0 · tngan/samlify · GitHubIssue Tracking;Patch;Release Notes;Third Party Advisory
-
https://www.whitehats.nl/blog/xml-signature-wrapping-samlify
XML Signature Wrapping vulnerability in Samlify | WhiteHats B.V.Mitigation;Third Party Advisory
Jump to