Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. passport-wsfed-saml2
  4. ›
  5. CVE-2017-16897

CVE-2017-16897: Authentication Bypass by Spoofing

December 27, 2017 (updated October 3, 2019)

This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).

References

  • auth0.com/docs/security/bulletins/cve-2017-16897
  • nvd.nist.gov/vuln/detail/CVE-2017-16897

Code Behaviors & Features

Detect and mitigate CVE-2017-16897 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 3.0.5

Fixed versions

  • 3.0.5

Solution

Upgrade to version 3.0.5 or above.

Impact 8.1 HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-290: Authentication Bypass by Spoofing

Source file

npm/passport-wsfed-saml2/CVE-2017-16897.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:58 +0000.