Medium

lunary

Broken Access Control in SAML Functionality

A broken access control vulnerability was identified in the latest version of the software, allowing users from one organization to update the IDP and view metadata of another organization. This issue has not yet been patched.

Available publicly on Jul 12 2024

6.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

d47secc
Threat Overview

The vulnerability arises from improper authentication checks in the SAML functionality, specifically in the saml.ts file. An attacker with a valid token from one organization can manipulate the IDP settings and access sensitive metadata of another organization. This could lead to unauthorized access and potential account takeover if the email addresses of users are known.

Attack Scenario

An attacker with a valid token from Organization A can send a POST request to update the IDP of Organization B. Subsequently, the attacker can access the /v1/users/me/org endpoint to view the updated SAML metadata of Organization B, potentially leading to unauthorized access and account takeover.

Who is affected

Organizations using the affected software version with SAML functionality enabled are at risk. Specifically, any user with a valid token from one organization can exploit this vulnerability to access and manipulate the IDP settings of another organization.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.