Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Duo Network Gateway by Duo Security

    CVE-2018-7340 (GCVE-0-2018-7340)

    Vulnerability from nvd – Published: 2019-04-17 14:01 – Updated: 2024-08-05 06:24
    VLAI
    Title
    Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
    Summary
    Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    duo
    References
    Impacted products
    Vendor Product Version
    Duo Security Duo Network Gateway Affected: unspecified , < 1.2.9 (custom)
    Create a notification for this product.
    Credits
    Kelby Ludwig of Duo Security
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T06:24:11.848Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/475445"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Duo Network Gateway",
              "vendor": "Duo Security",
              "versions": [
                {
                  "lessThan": "1.2.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Kelby Ludwig of Duo Security"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-17T14:01:03.000Z",
            "orgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
            "shortName": "duo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.kb.cert.org/vuls/id/475445"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@duo.com",
              "ID": "CVE-2018-7340",
              "STATE": "PUBLIC",
              "TITLE": "Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Duo Network Gateway",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "1.2.9"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Duo Security"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Kelby Ludwig of Duo Security"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287: Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
                  "refsource": "MISC",
                  "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
                },
                {
                  "name": "https://www.kb.cert.org/vuls/id/475445",
                  "refsource": "MISC",
                  "url": "https://www.kb.cert.org/vuls/id/475445"
                }
              ]
            },
            "source": {
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
        "assignerShortName": "duo",
        "cveId": "CVE-2018-7340",
        "datePublished": "2019-04-17T14:01:03.000Z",
        "dateReserved": "2018-02-22T00:00:00.000Z",
        "dateUpdated": "2024-08-05T06:24:11.848Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-7340 (GCVE-0-2018-7340)

    Vulnerability from cvelistv5 – Published: 2019-04-17 14:01 – Updated: 2024-08-05 06:24
    VLAI
    Title
    Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
    Summary
    Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    duo
    References
    Impacted products
    Vendor Product Version
    Duo Security Duo Network Gateway Affected: unspecified , < 1.2.9 (custom)
    Create a notification for this product.
    Credits
    Kelby Ludwig of Duo Security
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T06:24:11.848Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/475445"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Duo Network Gateway",
              "vendor": "Duo Security",
              "versions": [
                {
                  "lessThan": "1.2.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Kelby Ludwig of Duo Security"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-17T14:01:03.000Z",
            "orgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
            "shortName": "duo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.kb.cert.org/vuls/id/475445"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@duo.com",
              "ID": "CVE-2018-7340",
              "STATE": "PUBLIC",
              "TITLE": "Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Duo Network Gateway",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "1.2.9"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Duo Security"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Kelby Ludwig of Duo Security"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287: Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
                  "refsource": "MISC",
                  "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
                },
                {
                  "name": "https://www.kb.cert.org/vuls/id/475445",
                  "refsource": "MISC",
                  "url": "https://www.kb.cert.org/vuls/id/475445"
                }
              ]
            },
            "source": {
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
        "assignerShortName": "duo",
        "cveId": "CVE-2018-7340",
        "datePublished": "2019-04-17T14:01:03.000Z",
        "dateReserved": "2018-02-22T00:00:00.000Z",
        "dateUpdated": "2024-08-05T06:24:11.848Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }