Vulnerability Details CVE-2021-23365
The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.8%
CVSS Severity
CVSS v3 Score 4.8
CVSS v2 Score 5.5
References
- https://github.com/TykTechnologies/tyk-identity-broker/commit/243092965b0f93a95a14cb882b5b9a3df61dd5c0
- https://github.com/TykTechnologies/tyk-identity-broker/commit/46f70420e0911e4e8b638575e29d394c227c75d0
- https://github.com/TykTechnologies/tyk-identity-broker/pull/147
- https://github.com/TykTechnologies/tyk-identity-broker/releases/tag/v1.1.1
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTYKTECHNOLOGIESTYKIDENTITYBROKER-1089720
- https://github.com/TykTechnologies/tyk-identity-broker/commit/243092965b0f93a95a14cb882b5b9a3df61dd5c0
- https://github.com/TykTechnologies/tyk-identity-broker/commit/46f70420e0911e4e8b638575e29d394c227c75d0
- https://github.com/TykTechnologies/tyk-identity-broker/pull/147
- https://github.com/TykTechnologies/tyk-identity-broker/releases/tag/v1.1.1
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTYKTECHNOLOGIESTYKIDENTITYBROKER-1089720
Products affected by CVE-2021-23365
-
cpe:2.3:a:tyk:tyk-identity-broker:-
-
cpe:2.3:a:tyk:tyk-identity-broker:0.1
-
cpe:2.3:a:tyk:tyk-identity-broker:0.2
-
cpe:2.3:a:tyk:tyk-identity-broker:0.2.1
-
cpe:2.3:a:tyk:tyk-identity-broker:0.3.0
-
cpe:2.3:a:tyk:tyk-identity-broker:0.4.0
-
cpe:2.3:a:tyk:tyk-identity-broker:0.5.0
-
cpe:2.3:a:tyk:tyk-identity-broker:0.6.0
-
cpe:2.3:a:tyk:tyk-identity-broker:0.6.1
-
cpe:2.3:a:tyk:tyk-identity-broker:0.7.0
-
cpe:2.3:a:tyk:tyk-identity-broker:0.7.1
-
cpe:2.3:a:tyk:tyk-identity-broker:0.7.2
-
cpe:2.3:a:tyk:tyk-identity-broker:1.0.0
-
cpe:2.3:a:tyk:tyk-identity-broker:1.1.0