CVE-2020-5261 — HIGH (8.2) — White Hats Nepal

Q: How severe is CVE-2020-5261?

CVE-2020-5261 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-5261?

Check the references section above for vendor advisories and patch information. Affected products include: Sustainsys Saml2.

Vulnerability Description

Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) greater than 2.0.0, and less than version 2.5.0 has a faulty implementation of Token Replay Detection. Token Replay Detection is an important defence in depth measure for Single Sign On solutions. The 2.5.0 version is patched. Note that version 1.0.1 is not affected. It has a correct Token Replay Implementation and is safe to use. Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) greater than 2.0.0, and less than version 2.5.0 have a faulty implementation of Token Replay Detection. Token Replay Detection is an important defense measure for Single Sign On solutions. The 2.5.0 version is patched. Note that version 1.0.1 and prior versions are not affected. These versions have a correct Token Replay Implementation and are safe to use.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Sustainsys	Saml2	>= 2.0.0, < 2.5.0

Related Weaknesses (CWE)

CWE-294

References

https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5PatchThird Party Advisory
https://github.com/Sustainsys/Saml2/issues/711Issue TrackingThird Party Advisory
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-g6j2-ch25-5mmvThird Party Advisory
https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5PatchThird Party Advisory
https://github.com/Sustainsys/Saml2/issues/711Issue TrackingThird Party Advisory
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-g6j2-ch25-5mmvThird Party Advisory

FAQ

What is CVE-2020-5261?

CVE-2020-5261 is a vulnerability with a CVSS score of 8.2 (HIGH). Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) greater than 2.0.0, and less than version 2.5.0 has a faulty implementation of Token Replay Detection. Token Replay Detection...

How severe is CVE-2020-5261?

CVE-2020-5261 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-5261?

Check the references section above for vendor advisories and patch information. Affected products include: Sustainsys Saml2.