6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5268

GHSA ID

GHSA-9475-xg6m-j7pw

EPSS Score

0.5245%

CWE

CWE-303

Published

4/22/2020

Updated

1/9/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5268

CVE-2020-5268: Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET

Impact

Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a tocken to create a log in session.

Patches

Version 1.0.2 and 2.7.0 are patched.

Workarounds

Ensure that any IdentityProvider trusted by the Sustainsys.Saml2 SP only issues bearer tokens if the audience matches the Sustainsys.Saml2 SP.

For more information

If you have any questions or comments about this advisory:

Comment on #103
Email us at security@sustainsys.com if you think that there are further security issues.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5268

GHSA ID

GHSA-9475-xg6m-j7pw

EPSS Score

0.5245%

CWE

CWE-303

Published

4/22/2020

Updated

1/9/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Sustainsys.Saml2	nuget	< 1.0.2	1.0.2
Sustainsys.Saml2	nuget	>= 2.0.0, < 2.7.0	2.7.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation of SAML2 subject confirmation methods. The commit diff shows significant changes to the Saml2PSecurityTokenHandler class, particularly the replacement of the ValidateTokenReplay() method and implementation of a new ValidateToken() method. The original code lacked proper checks for subject confirmation method types (e.g., holder-of-key), instead defaulting to bearer token treatment. The patched version (e58e0a1) introduces proper validation logic, indicating the vulnerable function was the token validation entry point that previously didn't enforce subject confirmation method checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t S*ml* tok*ns *r* usu*lly us** *s ***r*r tok*ns - * **ll*r t**t pr*s*nts * tok*n is *ssum** to ** t** su*j**t o* t** tok*n. T**r* is *lso support in t** S*ml* proto*ol *or issuin* tok*ns t**t is ti** to * su*j**t t*rou** ot**r m**ns, *.*. *

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion` o* S*ML* su*j**t *on*irm*tion m*t*o*s. T** *ommit *i** s*ows si*ni*i**nt ***n**s to t** `S*ml*PS**urityTok*n**n*l*r` *l*ss, p*rti*ul*rly t** r*pl***m*nt o* t** `V*li**t*Tok*nR*pl*y()` m*t*o* *n* impl

6.5

Basic Information

Concerned about an active attack path?

CVE-2020-5268: Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET

Impact

Patches

Workarounds

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI