VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ject-qv5p-hqfw

Essentials
Severities (17)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ject-qv5p-hqfw
Aliases	CVE-2023-41890 GHSA-fv2h-753j-9g39
Summary	Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-289	Authentication Bypass by Alternate Name
CWE-294	Authentication Bypass by Capture-replay
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2023-41890
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2023-41890
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-fv2h-753j-9g39
cvssv3.1	7.5	https://github.com/Sustainsys/Saml2
generic_textual	HIGH	https://github.com/Sustainsys/Saml2
cvssv3.1	7.5	https://github.com/Sustainsys/Saml2/issues/712
generic_textual	HIGH	https://github.com/Sustainsys/Saml2/issues/712
ssvc	Track	https://github.com/Sustainsys/Saml2/issues/712
cvssv3.1	7.5	https://github.com/Sustainsys/Saml2/issues/713
generic_textual	HIGH	https://github.com/Sustainsys/Saml2/issues/713
ssvc	Track	https://github.com/Sustainsys/Saml2/issues/713
cvssv3.1	7.5	https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39
cvssv3.1_qr	HIGH	https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39
generic_textual	HIGH	https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39
ssvc	Track	https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-41890
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-41890

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-41890
		https://github.com/Sustainsys/Saml2
		https://nvd.nist.gov/vuln/detail/CVE-2023-41890
712		https://github.com/Sustainsys/Saml2/issues/712
713		https://github.com/Sustainsys/Saml2/issues/713
GHSA-fv2h-753j-9g39		https://github.com/advisories/GHSA-fv2h-753j-9g39
GHSA-fv2h-753j-9g39		https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/Sustainsys/Saml2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/Sustainsys/Saml2/issues/712

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:28:58Z/ Found at https://github.com/Sustainsys/Saml2/issues/712

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/Sustainsys/Saml2/issues/713

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:28:58Z/ Found at https://github.com/Sustainsys/Saml2/issues/713

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:28:58Z/ Found at https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-41890

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.3312
EPSS Score	0.00135
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:28:15.564614+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2023/41xxx/CVE-2023-41890.json	38.6.0