High severityNVD Advisory· Published May 13, 2020· Updated Sep 16, 2024
Signature Wrapping Vulnerability with spring-security-saml2-service-provider
CVE-2020-5407
Description
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 5.2.0, < 5.2.4 | 5.2.4 |
org.springframework.security:spring-security-coreMaven | >= 5.3.0, < 5.3.2 | 5.3.2 |
Affected products
1- Range: 5.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-48rw-j489-928mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5407ghsaADVISORY
- lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7@%3Cissues.servicemix.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a@%3Cdev.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c@%3Cdev.geode.apache.org%3EghsaWEB
- tanzu.vmware.com/security/cve-2020-5407ghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.