Vulnerability DatabaseCVE-2023-40178
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-40178
August 23, 2023
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale. This issue was patched in version 4.0.5.
Affected Packages
@node-saml/node-saml (NPM):
Affected version(s)
Fix Suggestion:
Update to version 4.0.5
Related ResourcesĀ (5)
https://nvd.nist.gov/vuln/detail/CVE-2023-40178
https://github.com/node-saml/node-saml/releases/tag/v4.0.5
https://github.com/node-saml/node-saml/commit/045e3b9c54211fdb95f96edf363679845b195cec
https://github.com/node-saml/node-saml/security/advisories/GHSA-vx8m-6fhw-pccw
https://github.com/node-saml/node-saml
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Improper Verification of Cryptographic Signature
CWE-347
Insufficient Session Expiration
CWE-613
EPSS
Base Score:
0.04