CVE-2022-23505: Security Update for passport-wsfed-saml2 Library
Published: Dec 12, 2022
CVE number: CVE-2022-23505
A remote attacker can bypass WSFed authentication on a website using
passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed WSFed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.
Am I affected?
You are affected if you are using WSFed protocol with the
passport-wsfed-saml2 library versions
SAML2 protocol is not affected.
How to fix that?
Upgrade to version
Will this update impact my users?
The fix provided in the patch will not affect your users.