CVE-2022-39299
Authentication Bypass vulnerability in passport-saml (npm)
What is CVE-2022-39299 About?
This vulnerability allows a remote attacker to bypass SAML authentication on websites using passport-saml. It requires possession of an arbitrary IDP-signed XML element. The impact can be severe, potentially granting unauthorized access to accounts, and an attacker's ability to trigger IDP-signed messages can simplify exploitation.
Affected Software
- passport-saml
- <3.2.2
- node-saml
- <4.0.0-beta.5
- @node-saml/node-saml
- <4.0.0-beta.5
- @node-saml/passport-saml
- <4.0.0-beta.3
Technical Details
The vulnerability in passport-saml allows for a SAML authentication bypass. A remote attacker can exploit this by presenting an arbitrary XML element that has been signed by an Identity Provider (IDP). The core flaw lies in how passport-saml validates SAML responses, specifically in its handling or verification of signed XML elements, allowing a forged or replayed signed element to be accepted as legitimate authentication. Depending on the IDP's configuration and an attacker's ability to trigger the generation of signed messages (e.g., through a legitimate user interaction), fully unauthenticated attacks might be feasible. The attack vector involves the manipulation and submission of SAML assertions or parts thereof.
What is the Impact of CVE-2022-39299?
Successful exploitation may allow attackers to gain unauthorized access to user accounts or entire systems protected by SAML authentication, leading to sensitive data exposure, privilege escalation, or full system compromise.
What is the Exploitability of CVE-2022-39299?
Exploiting this vulnerability requires a moderate to high level of complexity. The primary prerequisite is for the attacker to be in possession of an arbitrary IDP-signed XML element. This might involve intercepting a legitimate SAML exchange or exploiting another weakness in the IDP's signing process. Authentication is technically bypassed, so the attacker does not need to authenticate to the target service beforehand, but they do require a signed XML element. This is a remote exploitation scenario. A crucial special condition is the attacker's ability to obtain or trigger the generation of such signed XML elements. Risk factors are significantly increased for applications handling sensitive data that rely solely on SAML for authentication, especially if IDP sign-on processes are not robust.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| doyensec | Link | A Simple CVE-2022-39299 PoC exploit generator to bypass authentication in SAML SSO Integrations using vulnerable versions of passport-saml |
| KaztoRay | Link | CVE-2022-39299 취약점에 대한 Research 정리 |
What are the Available Fixes for CVE-2022-39299?
Available Upgrade Options
- @node-saml/node-saml
- <4.0.0-beta.5 → Upgrade to 4.0.0-beta.5
- node-saml
- <4.0.0-beta.5 → Upgrade to 4.0.0-beta.5
- @node-saml/passport-saml
- <4.0.0-beta.3 → Upgrade to 4.0.0-beta.3
- passport-saml
- <3.2.2 → Upgrade to 3.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-39299
- http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html
- https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e
- https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7
- http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html
- https://github.com/node-saml/passport-saml/releases/tag/v3.2.2
- https://github.com/node-saml/passport-saml
- https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7
- https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e
- https://osv.dev/vulnerability/GHSA-m974-647v-whv7
What are Similar Vulnerabilities to CVE-2022-39299?
Similar Vulnerabilities: CVE-2023-27163 , CVE-2023-3467 , CVE-2023-44487 , CVE-2023-28848 , CVE-2023-43187
