What is the severity of CVE-2022-23505?

CVE-2022-23505 is considered a moderate severity vulnerability as it allows remote attackers to bypass WSFed authentication.

How do I fix CVE-2022-23505?

To fix CVE-2022-23505, you should upgrade to version 4.6.3 or later of the passport-wsfed-saml2 package.

What versions are affected by CVE-2022-23505?

CVE-2022-23505 affects all versions of passport-wsfed-saml2 prior to 4.6.3.

Can CVE-2022-23505 be exploited remotely?

Yes, CVE-2022-23505 can be exploited remotely by an attacker to bypass authentication.

What type of authentication is vulnerable in CVE-2022-23505?

CVE-2022-23505 specifically affects WSFed authentication implemented using the passport-wsfed-saml2 package.

Vulnerability/
CVE-2022-23505

high

7.5

CWE

287

13/12/2022

3/8/2024

CVE-2022-23505: Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication

First published: Tue Dec 13 2022(Updated: )

Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Auth0 passport-wsfed-saml2	<=4.6.2

Never miss a vulnerability like this again

Reference Links

https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-ppjq-qxhx-m25f

Frequently Asked Questions

What is the severity of CVE-2022-23505?
CVE-2022-23505 is considered a moderate severity vulnerability as it allows remote attackers to bypass WSFed authentication.
How do I fix CVE-2022-23505?
To fix CVE-2022-23505, you should upgrade to version 4.6.3 or later of the passport-wsfed-saml2 package.
What versions are affected by CVE-2022-23505?
CVE-2022-23505 affects all versions of passport-wsfed-saml2 prior to 4.6.3.
Can CVE-2022-23505 be exploited remotely?
Yes, CVE-2022-23505 can be exploited remotely by an attacker to bypass authentication.
What type of authentication is vulnerable in CVE-2022-23505?
CVE-2022-23505 specifically affects WSFed authentication implemented using the passport-wsfed-saml2 package.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/author
agent/last-modified-date
agent/weakness
agent/severity
agent/title
agent/description
agent/first-publish-date
agent/event
agent/tags
agent/source
vendor/auth0
canonical/auth0 passport-wsfed-saml2
version/auth0 passport-wsfed-saml2/4.6.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.