#VU28464 Improper Verification of Cryptographic Signature in Spring Security
Vulnerability identifier: #VU28464
Vulnerability risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-347
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Spring Security
Server applications /
Frameworks for developing and running applications
Vendor: VMware, Inc
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a signature wrapping issue during SAML response validation when using the "spring-security-saml2-service-provider" component. A remote authenticated attacker can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Spring Security: 5.2.0 - 5.3.1
External links
http://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7@%3Cissues.servicemix.apache.org%3E
http://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a@%3Cdev.geode.apache.org%3E
http://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c@%3Cdev.geode.apache.org%3E
http://tanzu.vmware.com/security/cve-2020-5407
http://github.com/spring-projects/spring-security/tree/5.2.3.RELEASE/samples/boot/saml2login
http://docs.spring.io/spring-security/site/docs/5.2.3.RELEASE/reference/html5/#saml2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
