CVE-2020-27846

high-risk
Published 2020-12-21

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Do I need to act?

~
7.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (8)

Saml

Affected Vendors

Redhat Fedoraproject Grafana Saml Project

References (14)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1907670
Third Party Advisory https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
Vendor Advisory https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Exploit https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
Third Party Advisory https://security.netapp.com/advisory/ntap-20210205-0002/
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1907670
Third Party Advisory https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
Vendor Advisory https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Exploit https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
Third Party Advisory https://security.netapp.com/advisory/ntap-20210205-0002/
56
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 10/34 · Low
Exposure 14/34 · Moderate