VYPR
High severityNVD Advisory· Published May 13, 2020· Updated Sep 16, 2024

Signature Wrapping Vulnerability with spring-security-saml2-service-provider

CVE-2020-5407

Description

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.security:spring-security-coreMaven
>= 5.2.0, < 5.2.45.2.4
org.springframework.security:spring-security-coreMaven
>= 5.3.0, < 5.3.25.3.2

Affected products

2

Patches

Vulnerability mechanics

References

12

News mentions

0

No linked articles in our index yet.