Back to bug 2142450
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Avinash Hanwate | 2022-11-14 03:50:54 UTC | Depends On | 2142451, 2142452 | |
| Avinash Hanwate | 2022-11-25 14:01:45 UTC | CC | jburrell, vkumar | |
| Doc Text | A flaw was found in the xmldom package. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP-signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if the generation of a signed message can be triggered. | |||
| Avinash Hanwate | 2022-11-25 14:05:17 UTC | Doc Text | A flaw was found in the xmldom package. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP-signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if the generation of a signed message can be triggered. | A flaw was found in the xmldom package. xmldom parses XML that is not well-formed because it contains multiple top-level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to the issuance of CVE-2022-39299 as it is a potential issue for dependents. |
| Avinash Hanwate | 2022-11-25 14:06:39 UTC | Doc Text | A flaw was found in the xmldom package. xmldom parses XML that is not well-formed because it contains multiple top-level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to the issuance of CVE-2022-39299 as it is a potential issue for dependents. | A flaw was found in the xmldom package. The xmldom parses XML that is not well-formed because it contains multiple top-level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to the issuance of CVE-2022-39299 as it is a potential issue for dependents. |
| Paige Jung | 2022-11-25 15:10:43 UTC | Doc Text | A flaw was found in the xmldom package. The xmldom parses XML that is not well-formed because it contains multiple top-level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to the issuance of CVE-2022-39299 as it is a potential issue for dependents. | A flaw was found in the xmldom package. The xmldom parses XML that is not well-formed because it contains multiple top-level elements, adding all root nodes to the `childNodes` collection of the `Document` without reporting errors or throwing. This breaks the assumption that there is only a single root node in the tree, which led to CVE-2022-39299, as it is a potential issue for dependents. |
| Red Hat Bugzilla | 2023-07-07 08:28:24 UTC | Assignee | security-response-team | nobody |
Back to bug 2142450