Advisories for Golang/Github.com/Fleetdm/Fleet/V4 package

In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to: Forge authentication assertions, potentially impersonating legitimate users. If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account. If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification …

Fleet is an open source osquery manager. In Fleet, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. This issue is patched The fix was made using https://github.com/mattermost/xml-roundtrip-validator If upgrade to …

fleet is an open source device management, built on osquery. expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: A malicious or compromised Service Provider (SP) could reuse the SAML response to log into Fleet as a user – only if the user has an account with the same email in Fleet, and the user signs into …