CVE-2023-40178

low-risk
Published 2023-08-23

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale. This issue was patched in version 4.0.5.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Node Saml

Affected Vendors

Node Saml Project

References (6)

Patch https://github.com/node-saml/node-saml/commit/045e3b9c54211fdb95f96edf363679845b...
Release Notes https://github.com/node-saml/node-saml/releases/tag/v4.0.5
Vendor Advisory https://github.com/node-saml/node-saml/security/advisories/GHSA-vx8m-6fhw-pccw
Patch https://github.com/node-saml/node-saml/commit/045e3b9c54211fdb95f96edf363679845b...
Release Notes https://github.com/node-saml/node-saml/releases/tag/v4.0.5
Vendor Advisory https://github.com/node-saml/node-saml/security/advisories/GHSA-vx8m-6fhw-pccw
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal