Home > Vulnerability Database > CVE-2021-23365

Mend.io Vulnerability Database

CVE-2021-23365

Good to know:

Date: April 26, 2021

The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data).

Language: Go

Severity Score

4.8

Related Resources (7)

Url: https://github.com/TykTechnologies/tyk-identity-broker/releases/tag/v1.1.1

Url: https://github.com/TykTechnologies/tyk-identity-broker/commit/46f70420e0911e4e8b638575e29d394c227c75d0

Url: https://github.com/TykTechnologies/tyk-identity-broker/commit/243092965b0f93a95a14cb882b5b9a3df61dd5c0

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-23365

Url: https://github.com/advisories/GHSA-599h-8wpj-75xj

Url: https://github.com/TykTechnologies/tyk-identity-broker/pull/147

Url: https://www.mend.io/vulnerability-database/CVE-2021-23365

Severity Score

4.8

Weakness Type (CWE)

Improper Authentication

CWE-287

Top Fix

Upgrade Version

Upgrade to version github.com/tyktechnologies/tyk-identity-broker - v1.1.1;github.com/TykTechnologies/tyk-identity-broker - v1.1.1

Learn More

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	5.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-23365

Good to know:

Date: April 26, 2021

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?