CVE-2020-27846

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Published: Dec 21, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-27846
GHSA: GHSA-4hq8-gmxx-h6w9
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-287
CWE-115

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
grafana / grafana	7.3.0	7.3.6
grafana / grafana	7.0.0	7.2.3
grafana / grafana	-	6.7.5
saml_project / saml	-	0.4.3
redhat / openshift_container_platform	3.11	3.11.x
redhat / enterprise_linux	8.0	8.0.x
redhat / openshift_container_platform	4.0	4.0.x
redhat / openshift_service_mesh	2.0	2.0.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
github.com/crewjam/saml	-	0.4.3

https://bugzilla.redhat.com/show_bug.cgi?id=1907670
https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053
https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/
https://lists.fedoraproject.org/archives/list/[email protected]/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM/
https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
https://pkg.go.dev/vuln/GO-2021-0058
https://security.netapp.com/advisory/ntap-20210205-0002/

Vulnerability Database

289,598

CVE-2020-27846