CVE-2021-28091

Public on 2021-06-16
Modified on 2021-09-08
Description
An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Severity
Important
CVSS v3 Base Score
8.8
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 lasso 2021-06-16 20:37 ALAS2-2021-1660
Amazon Linux 1 lasso 2021-09-02 22:54 ALAS-2021-1529

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N