CVE-2024-25718

In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry.
Configurations

Configuration 1 (hide)

cpe:2.3:a:dropbox:samly:*:*:*:*:*:elixir:*:*

History

21 Oct 2024, 20:29

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.1
v2 : unknown
v3 : 9.8
First Time Dropbox samly
Dropbox
References () https://diff.hex.pm/diff/samly/1.3.0..1.4.0 - () https://diff.hex.pm/diff/samly/1.3.0..1.4.0 - Patch
References () https://github.com/dropbox/samly - () https://github.com/dropbox/samly - Product
References () https://github.com/dropbox/samly/pull/13 - () https://github.com/dropbox/samly/pull/13 - Patch
References () https://github.com/dropbox/samly/pull/13/commits/812b5c3ad076dc9c9334c1a560c8e6470607d1eb - () https://github.com/dropbox/samly/pull/13/commits/812b5c3ad076dc9c9334c1a560c8e6470607d1eb - Patch
References () https://github.com/handnot2/samly - () https://github.com/handnot2/samly - Product
References () https://hex.pm/packages/samly - () https://hex.pm/packages/samly - Release Notes
CWE CWE-613
CPE cpe:2.3:a:dropbox:samly:*:*:*:*:*:elixir:*:*

01 Aug 2024, 20:35

Type Values Removed Values Added
CWE CWE-400
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.1
Summary
  • (es) En el paquete Samly anterior a 1.4.0 para Elixir, Samly.State.Store.get_assertion/3 puede devolver una sesión caducada, lo que interfiere con el control de acceso porque Samly.AuthHandler usa una sesión almacenada en caché y no la reemplaza, incluso después de su vencimiento.

11 Feb 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-11 05:15

Updated : 2024-10-21 20:29


NVD link : CVE-2024-25718

Mitre link : CVE-2024-25718

CVE.ORG link : CVE-2024-25718


JSON object : View

Products Affected

dropbox

  • samly
CWE
CWE-613

Insufficient Session Expiration

CWE-400

Uncontrolled Resource Consumption