CVE-2022-39299 Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication.
Passport no longer ships with a custom implementation of the `saml2` Passport extension, but `node-saml` still relies on the old extension for its SAML implementation. Upgrading to the latest `node-saml` will resolve this issue. Node-saml 4.0.0-beta.9 and later is not affected by this issue. Affected versions ----------- - Node-saml prior to version 4.0.0-beta.9. - Passport prior to v0.11.11. - SAML 2.0 software prior to 1.1.0. - SAML 2.0 libraries prior to 1.1.0. Solution ------------ Upgrade to at least version 3.2.2 of the `passport-saml` package. https://www.npmjs.com/package/passport-saml or install `node-saml@^4.0.0-beta.9` from: https://www.npmjs.com/package/node-saml Confirmed with ----------- The `node-saml` SAML 2.0 extension version prior to 4.0.0-beta.9 is not affected by this issue. The `passport-saml` package version prior to v0.11.11 is not affected by this issue. The `passport-saml` package version prior to v0.11.11
Resolved issues
Node-saml 4.0.0-beta.9 and later is not affected by this issue. Affected versions ----------- - Node-saml prior to version 4.0.0-beta.9. - Passport prior to v0.11.11
How to Outsource SEO Correctly & Avoid the 5 Most Common Mistakes
Summary
A new version of the `passport-saml` package has been released that fixes an issue with the `node-saml` package. The upgrade is necessary for Node.js users who are using the old version of the `node-saml` package which relies on a custom implementation of the `passport-saml` extension.
Component: Passport
One component of the Passport API requires upgrading.
Issue ------------ This issue has been resolved in the latest release. The version that is affected by this issue is:
- node-saml 2.1.0
The latest SAML 2.0 library version that was released prior to 1.1.0 is not affected by this issue, but all versions released after 1.1.0 are affected by the issue and require updating to a newer version of node-saml .
Timeline
Published on: 10/12/2022 21:15:00 UTC
Last modified on: 10/14/2022 20:02:00 UTC