CVE-2024-1735: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-1735) has been identified in armeria-saml versions prior to 1.27.2. The vulnerability allows attackers to bypass authentication through the use of malicious SAML messages. This security flaw was discovered and reported by LINE Corporation, with a CVSS v3.1 base score of 9.1 (Critical) (GitHub Advisory).

The vulnerability stems from the SAML implementation in armeria-saml accepting unsigned SAML messages (including assertions and logout requests) without proper validation. This implementation flaw allows attackers to forge SAML messages for authentication purposes, when such unsigned messages should be rejected by default. The vulnerability has received a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (GitHub Advisory).

The vulnerability poses a significant security risk as it allows attackers to bypass authentication mechanisms. With a Critical CVSS score of 9.1, the flaw can lead to unauthorized access with high impacts on both confidentiality and integrity of the affected systems (GitHub Advisory).

The vulnerability has been patched in Armeria version 1.27.2. All users running versions prior to 1.27.2 must upgrade to version 1.27.2 or later. There are no known workarounds for this vulnerability (GitHub Advisory).