CVE-2023-41890: 
C# vulnerability analysis and mitigation

Sustainsys.Saml2 library, which adds SAML2P support to ASP.NET web sites allowing them to act as SAML2 Service Providers, contained a vulnerability related to insufficient validation of Identity Provider issuers. The vulnerability was discovered in versions prior to 1.0.3 and 2.9.2, and was disclosed on September 19, 2023. The issue affects all versions of the library before the patched versions (GitHub Advisory).

When processing a response, the issuer of the Identity Provider is not sufficiently validated. This vulnerability has a CVSS v3.1 Base Score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-289 (Authentication Bypass by Alternate Name) and CWE-294 (Authentication Bypass by Capture-replay) (NVD).

The vulnerability could allow a malicious identity provider to craft a Saml2 response that would be processed as if it were issued by another identity provider. Additionally, malicious end users could potentially cause stored state intended for one identity provider to be used when processing the response from another provider. Applications are impacted if they rely on either the issuer of the generated identity and claims, or items in the stored request state (AuthenticationProperties) (GitHub Advisory).

The vulnerability has been patched in versions 2.9.2 and 1.0.3. For users unable to upgrade, a workaround is available through the AcsCommandResultCreated notification, which can be used to add the required validation (GitHub Advisory).