AmazonALAS-2021-1529Important: lasso
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
78.1%
Issue Overview:
An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability. (CVE-2021-28091)
Affected Packages:
lasso
Issue Correction:
Run yum update lasso to update your system.
New Packages:
i686:
lasso-python-2.5.1-8.6.amzn1.i686
lasso-debuginfo-2.5.1-8.6.amzn1.i686
lasso-devel-2.5.1-8.6.amzn1.i686
lasso-2.5.1-8.6.amzn1.i686
src:
lasso-2.5.1-8.6.amzn1.src
x86_64:
lasso-devel-2.5.1-8.6.amzn1.x86_64
lasso-debuginfo-2.5.1-8.6.amzn1.x86_64
lasso-python-2.5.1-8.6.amzn1.x86_64
lasso-2.5.1-8.6.amzn1.x86_64
Additional References
Red Hat: CVE-2021-28091
Mitre: CVE-2021-28091
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Amazon Linux | 1 | i686 | lasso-python | < 2.5.1-8.6.amzn1 | lasso-python-2.5.1-8.6.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | lasso-debuginfo | < 2.5.1-8.6.amzn1 | lasso-debuginfo-2.5.1-8.6.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | lasso-devel | < 2.5.1-8.6.amzn1 | lasso-devel-2.5.1-8.6.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | lasso | < 2.5.1-8.6.amzn1 | lasso-2.5.1-8.6.amzn1.i686.rpm |
| Amazon Linux | 1 | x86_64 | lasso-devel | < 2.5.1-8.6.amzn1 | lasso-devel-2.5.1-8.6.amzn1.x86_64.rpm |
| Amazon Linux | 1 | x86_64 | lasso-debuginfo | < 2.5.1-8.6.amzn1 | lasso-debuginfo-2.5.1-8.6.amzn1.x86_64.rpm |
| Amazon Linux | 1 | x86_64 | lasso-python | < 2.5.1-8.6.amzn1 | lasso-python-2.5.1-8.6.amzn1.x86_64.rpm |
| Amazon Linux | 1 | x86_64 | lasso | < 2.5.1-8.6.amzn1 | lasso-2.5.1-8.6.amzn1.x86_64.rpm |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
78.1%