GHSA-fv2h-753j-9g39 · 深刻度: high · エコシステム: nuget — Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation
Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.
総合評価: CVE-2023-41890 は中リスク(45.8/100)。CVSS 深刻度は高。悪用される可能性が高い(EPSS 0.60%、44 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.20% | 0.60% | +0.40% |
| 2 | 2026-06-14 | 0.14% | 0.20% | +0.07% |
| 3 | 2025-11-21 | — | 0.14% | — |
EPSS の全履歴 (全 8 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-fv2h-753j-9g39 · 深刻度: high · エコシステム: nuget — Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| sustainsys | saml2 | < 1.0.3 | cpe:2.3:a:sustainsys:saml2:*:*:*:*:*:*:*:* |
| sustainsys | saml2 | >= 2.0.0, < 2.9.2 | cpe:2.3:a:sustainsys:saml2:*:*:*:*:*:*:*:* |
| URL | タグ |
|---|---|
| https://github.com/Sustainsys/Saml2/issues/712 | Issue Tracking Patch |
| https://github.com/Sustainsys/Saml2/issues/713 | Issue Tracking Patch |
| https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39 | Third Party Advisory |