CVE-2018-7340

Published: Apr 17, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Affected (1)

Products: Cisco: Duo Network Gateway

1 product

Duo Network Gateway

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cisco Duo Network Gateway	Up to 1.2.9

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

Source: security@duo.com

ExploitVendor Advisory

https://www.kb.cert.org/vuls/id/475445

Source: security@duo.com

Third Party AdvisoryUS Government Resource

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://www.kb.cert.org/vuls/id/475445

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.