Overview
This vulnerability allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response.
Am I Affected?
You are affected by this SAML Attribute Smuggling vulnerability if you are using passport-wsfed-saml2 version 4.5.1 or below, specifically under the following conditions:
- The service provider is using
passport-wsfed-saml2,
- A valid SAML Response signed by the Identity Provider can be obtained
Fix
Upgrade to v4.6.4 or greater.
Overview
This vulnerability allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response.
Am I Affected?
You are affected by this SAML Attribute Smuggling vulnerability if you are using
passport-wsfed-saml2version 4.5.1 or below, specifically under the following conditions:passport-wsfed-saml2,Fix
Upgrade to v4.6.4 or greater.