CVE-2017-16897: Authentication Bypass by Spoofing

December 27, 2017 (updated October 3, 2019)

This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).

References

auth0.com/docs/security/bulletins/cve-2017-16897
nvd.nist.gov/vuln/detail/CVE-2017-16897

Code Behaviors & Features

Detect and mitigate CVE-2017-16897 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →