Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-v3bx-f3um-8ubc
Summary
Authentication Bypass by Alternate Name
Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. 
Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.
Aliases
0
alias CVE-2023-41890
1
alias GHSA-fv2h-753j-9g39
Fixed_packages
0
url pkg:composer/simplesamlphp/saml2@1.1.0
purl pkg:composer/simplesamlphp/saml2@1.1.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.1.0
1
url pkg:composer/simplesamlphp/saml2@3.0.0
purl pkg:composer/simplesamlphp/saml2@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ucwf-xdma-h7fc
1
vulnerability VCID-wbt9-snjj-uuea
2
vulnerability VCID-xx6m-pvgs-puga
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@3.0.0
2
url pkg:nuget/Sustainsys.Saml2@1.0.3
purl pkg:nuget/Sustainsys.Saml2@1.0.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Sustainsys.Saml2@1.0.3
3
url pkg:nuget/Sustainsys.Saml2@2.9.2
purl pkg:nuget/Sustainsys.Saml2@2.9.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Sustainsys.Saml2@2.9.2
Affected_packages
0
url pkg:composer/simplesamlphp/saml2@2.0.0
purl pkg:composer/simplesamlphp/saml2@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ucwf-xdma-h7fc
1
vulnerability VCID-v3bx-f3um-8ubc
2
vulnerability VCID-wbt9-snjj-uuea
3
vulnerability VCID-xx6m-pvgs-puga
4
vulnerability VCID-zemd-kbb3-s3cr
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.0.0
1
url pkg:nuget/Kentor.AuthServices@0.23.0
purl pkg:nuget/Kentor.AuthServices@0.23.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-v3bx-f3um-8ubc
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Kentor.AuthServices@0.23.0
2
url pkg:nuget/Sustainsys.Saml2@2.0.0
purl pkg:nuget/Sustainsys.Saml2@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-v3bx-f3um-8ubc
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Sustainsys.Saml2@2.0.0
References
0
reference_url https://github.com/Sustainsys/Saml2
reference_id
reference_type
scores
url https://github.com/Sustainsys/Saml2
1
reference_url https://github.com/Sustainsys/Saml2/issues/712
reference_id
reference_type
scores
url https://github.com/Sustainsys/Saml2/issues/712
2
reference_url https://github.com/Sustainsys/Saml2/issues/713
reference_id
reference_type
scores
url https://github.com/Sustainsys/Saml2/issues/713
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-41890
reference_id CVE-2023-41890
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-41890
4
reference_url https://github.com/advisories/GHSA-fv2h-753j-9g39
reference_id GHSA-fv2h-753j-9g39
reference_type
scores
url https://github.com/advisories/GHSA-fv2h-753j-9g39
5
reference_url https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39
reference_id GHSA-fv2h-753j-9g39
reference_type
scores
url https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 289
name Authentication Bypass by Alternate Name
description The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id 294
name Authentication Bypass by Capture-replay
description A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-v3bx-f3um-8ubc