OneUptime SAML SSO Authentication Bypass Vulnerability
Vulnerability
A vulnerability in OneUptime's SAML Single Sign-On (SSO) implementation prior to version 10.0.42 allows for authentication bypass through multi-assertion identity injection. The issue arises because signature verification and identity extraction processes are decoupled. An attacker can exploit this by prepending an unsigned assertion with a chosen identity to a signed assertion, bypassing authentication. This vulnerability affects OneUptime instances using SAML SSO with an Identity Provider (IdP) that produces assertion-level signatures.
Impact
Exploitation of this vulnerability allows an attacker to impersonate any user within the same SSO-enabled OneUptime project, provided the target user is registered in the project.
Reproduction
The vulnerability can be reproduced by intercepting a SAML response, prepending an unsigned assertion with an arbitrary identity to a signed assertion, and then submitting the modified response to OneUptime's Assertion Consumer Service (ACS) endpoint. This process can be automated with a script that handles the SAML assertion manipulation and submission.
Remediation
Users can update to OneUptime version 10.0.42 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.