Miggo Logo

CVE-2020-5268: Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.5245%
Published
4/22/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Sustainsys.Saml2nuget< 1.0.21.0.2
Sustainsys.Saml2nuget>= 2.0.0, < 2.7.02.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of SAML2 subject confirmation methods. The commit diff shows significant changes to the Saml2PSecurityTokenHandler class, particularly the replacement of the ValidateTokenReplay() method and implementation of a new ValidateToken() method. The original code lacked proper checks for subject confirmation method types (e.g., holder-of-key), instead defaulting to bearer token treatment. The patched version (e58e0a1) introduces proper validation logic, indicating the vulnerable function was the token validation entry point that previously didn't enforce subject confirmation method checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t S*ml* tok*ns *r* usu*lly us** *s ***r*r tok*ns - * **ll*r t**t pr*s*nts * tok*n is *ssum** to ** t** su*j**t o* t** tok*n. T**r* is *lso support in t** S*ml* proto*ol *or issuin* tok*ns t**t is ti** to * su*j**t t*rou** ot**r m**ns, *.*. *

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion` o* S*ML* su*j**t *on*irm*tion m*t*o*s. T** *ommit *i** s*ows si*ni*i**nt ***n**s to t** `S*ml*PS**urityTok*n**n*l*r` *l*ss, p*rti*ul*rly t** r*pl***m*nt o* t** `V*li**t*Tok*nR*pl*y()` m*t*o* *n* impl