SAML Assertion Signature Validation Bypass in SOGo

SAML Assertion Signature Validation Bypass in SOGo

CVE-2021-33054 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

Learn more about our Network Penetration Testing.