CVE-2020-5268: Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5245%
CWE
Published
4/22/2020
Updated
1/9/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Sustainsys.Saml2 | nuget | < 1.0.2 | 1.0.2 |
Sustainsys.Saml2 | nuget | >= 2.0.0, < 2.7.0 | 2.7.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper validation
of SAML2 subject confirmation methods. The commit diff shows significant changes to the Saml2PSecurityTokenHandler
class, particularly the replacement of the ValidateTokenReplay()
method and implementation of a new ValidateToken()
method. The original code lacked proper checks for subject confirmation method types (e.g., holder-of-key), instead defaulting to bearer token treatment. The patched version (e58e0a1) introduces proper validation
logic, indicating the vulnerable function was the token validation
entry point that previously didn't enforce subject confirmation method checks.