CVE-2022-39299
Published: 12 October 2022
Summary
CVE-2022-39299 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Passport-Saml Project Passport-Saml. Its CVSS base score is 7.4 (High).
Operationally, ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Passport-SAML is a SAML 2.0 authentication provider for the Passport Node.js library, and the same flaw also affects the node-saml library in its early beta releases. CVE-2022-39299 is a signature-verification bypass (CWE-347) that permits an attacker to substitute an arbitrary IDP-signed XML element for a legitimate authentication response, thereby evading the cryptographic checks that should enforce identity.
An attacker who possesses or can obtain a signed XML element from the configured identity provider can submit it to the service provider and be granted an authenticated session. When the IDP permits an unauthenticated user to trigger generation of a signed message, the attack can succeed without any valid credentials; otherwise the attacker still needs network access to the SAML endpoint but no user account on the target application. The CVSS 7.4 rating reflects the high attack complexity arising from the need for a signed element.
Public advisories and the associated GitHub security notice recommend immediate upgrade to passport-saml 3.2.2 or later and node-saml 4.0.0-beta.5 or later; the fixes are contained in the commits that tighten root-element signature validation. Where patching is not feasible, the recommended workaround is to disable SAML authentication entirely.
EPSS for the vulnerability rose from a low baseline to a peak of 0.1302 before receding to the current 0.0465, indicating a measurable increase in exploitation interest after disclosure. Public references include exploit code posted to Packet Storm, although no widespread in-the-wild campaigns are documented in the supplied sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7124
Vulnerability details
Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an…
more
arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.
PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.
Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.
Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.
Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.
Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.