7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-41890

CVE-2023-41890: Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation

Impact

When a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider.

An application is impacted if they rely on any of these features in their authentication/authorization logic:

the issuer of the generated identity and claims
items in the stored request state (AuthenticationProperties)

Patches

Patched in version 2.9.2 and 1.0.3. All previous versions are vulnerable.

Workarounds

The AcsCommandResultCreated notification can be used to add the validation required if an upgrade to patched packages is not possible.

References

The patch is linked to https://github.com/Sustainsys/Saml2/issues/712 and https://github.com/Sustainsys/Saml2/issues/713

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-41890

CVE-2023-41890:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Sustainsys.Saml2	nuget	< 1.0.3	1.0.3
Sustainsys.Saml2	nuget	>= 2.0.0, < 2.9.2	2.9.2
Kentor.AuthServices	nuget	<= 0.23.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) Insufficient validation of the SAML assertion issuer against the expected Identity Provider, and 2) Improper binding of stored request state to specific authentication contexts. The AcsCommand.ProcessResponse method would be responsible for validating assertion issuers during response processing, which was inadequate prior to patches. The StoredRequestState.GetRequestState method likely retrieved state without considering the IdP context, allowing state substitution. These conclusions align with the described attack vectors (CWE-289/CWE-294) and the referenced GitHub issues #712 (assertion validation) and #713 (state binding).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-41890: Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation

Impact

Patches

Workarounds

References

CVE-2023-41890:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

CVE-2023-41890: Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI