CVE-2021-28091: 
NixOS vulnerability analysis and mitigation

CVE-2021-28091 is a vulnerability discovered in Lasso, a library that implements Liberty Alliance Single Sign On standards including SAML and SAML2 specifications. The vulnerability was disclosed in June 2021 and affects all versions of Lasso prior to 2.7.0. The issue involves an XML Signature Wrapping (XSW) vulnerability when parsing SAML responses (Red Hat CVE).

The vulnerability stems from improper verification of cryptographic signatures in SAML responses. When AuthnResponse messages are not signed (which is permitted by the specification), all assertion signatures should be checked. However, after the first signed assertion is checked, all following assertions were accepted without signature verification, and the last one was considered the main assertion (Lasso Git). The vulnerability has been assigned a CVSS score of 8.8 (High) (Ubuntu CVE).

This vulnerability could allow an attacker to modify a valid SAML response and impersonate users or bypass access control mechanisms. The flaw enables attackers to bundle assertions from different issuers, potentially compromising the authentication system's integrity (Debian Security).

The vulnerability has been fixed in Lasso version 2.7.0. The patch implements two key changes: 1) checking signatures from all assertions if the message is not signed, and 2) refusing messages with assertions from different issuers than the one on the message, to prevent assertion bundling even if they are signed (Lasso Git).