Closed ogis-song closed 10 months ago
OpenAM does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process.
Attackers can impersonate any OpenAM user, including the administrator, by exploiting this vulnerability.
This is the same vulnerability announced as OpenIdentityPlatform/OpenAM CVE-2023-37471. https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg
Description
OpenAM does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process.
Attackers can impersonate any OpenAM user, including the administrator, by exploiting this vulnerability.
This is the same vulnerability announced as OpenIdentityPlatform/OpenAM CVE-2023-37471. https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg