samlify XML Injection Vulnerability in SAML Assertions Allows Privilege Escalation

A vulnerability in the samlify library prior to version 2.13.0 allows for XML injection in SAML assertions. The issue arises because the library's template substitution process only escapes attribute contexts, leaving element text values, such as those in <saml:AttributeValue> elements, vulnerable to injection. A normal user can exploit this by injecting XML markup into attribute values and adding new <saml:Attribute> elements into signed assertions. The Identity Provider (IdP) signs the modified assertion, which is then accepted by the Service Provider (SP) as trusted. This injection of attributes can lead to privilege escalation when the injected attributes are used for authorization purposes, such as roles or groups.

Impact

Exploitation of this vulnerability allows a normal user to inject arbitrary attributes into a signed SAML assertion, which can be used to gain elevated privileges in Service Providers that rely on SAML attributes for authorization.

Reproduction

To reproduce this vulnerability, first create a SAML response template that includes placeholders for attribute values. Then, inject XML markup into the attribute values, specifically targeting the <saml:AttributeValue> elements. Once the injection is made, the IdP will sign the tampered assertion. When this assertion is processed by the SP, the injected attributes will be accepted as trusted, potentially leading to unauthorized privilege escalation.

Remediation

Users are advised to update to samlify version 2.13.0 or later, where this vulnerability has been patched.