CVE-2021-28091

Public on 2021-06-04

Modified on 2021-09-08

Description

An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.

Severity

Important

See what this means

CVSS v3 Base Score

8.8

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	lasso	2021-09-02 22:54	ALAS-2021-1529
Amazon Linux 2 - Core	lasso	2021-06-16 20:37	ALAS2-2021-1660

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Red Hat: CVE-2021-28091 Mitre: CVE-2021-28091 FAQs regarding Amazon Linux ALAS/CVE Severity