search

GluuFederation / gluu-passport

Gluu interface to Passport.js to support social login and inbound identity.
Apache License 2.0
6 stars 16 forks source link

SAML authn response signature validation bypass due vulnerable component #488

Closed srd90 closed 1 year ago

srd90 commented 1 year ago

Today (18th October 2022) its been 7 days since this: https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7 (and first fix 3.2.2 was released 7 days ago).

gluu-passport is still using vulnerable version (3.2.1) of passport-saml: https://github.com/GluuFederation/gluu-passport/blob/83f83c8945ef02ce70173d2fe48abbe848d5ff84/package-lock.json Related dependabot PRs:

  1. https://github.com/GluuFederation/gluu-passport/pull/480
  2. https://github.com/GluuFederation/gluu-passport/pull/481
  3. https://github.com/GluuFederation/gluu-passport/pull/490

GluuFederation/inbound-saml is also using vulnerable 3.2.1 version: https://github.com/GluuFederation/inbound-saml/blob/7ee42f5f84c577f252edc3cfd4f1e45d03d9c172/yarn.lock Related dependabot PRs

  1. https://github.com/GluuFederation/inbound-saml/pull/169
  2. https://github.com/GluuFederation/inbound-saml/pull/175
  3. https://github.com/GluuFederation/inbound-saml/pull/180
mzico commented 1 year ago

Let me touch passport team...

kdhttps commented 1 year ago

done at gluu-passport. create new one for inbound-saml https://github.com/GluuFederation/inbound-saml/issues/191