An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Lasso is provided in Red Hat Enterprise Linux 7, and 8 only as a dependency of mod_auth_mellon, without development files. The way mod_auth_mellon uses Lasso makes it not vulnerable to this flaw, because SAML responses are additionally validated to have exactly one assertion, thus it is not possible for an attacker to include an unsigned SAML assertion after a signed valid one. For this reason this flaw has been rated as Moderate on Red Hat Enterprise Linux 8.
Red Hat Enterprise Linux 7 also provides a lasso-python package that can be used to create python applications that use Lasso, however Red Hat only ships ipsilon which uses it. Ipsilon does not use the vulnerable functions of Lasso. Considering the presence of lasso-python in Red Hat Enterprise Linux 7, this flaw has been rated as Important there.
Vulmon