OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() verifies the first <Signature> element in the XML DOM using xml-crypto, while getEmail() always reads from assertion[0] via xml2js. An attacker can prepend an unsigned assertion containing an arbitrary identity before a legitimately signed assertion, resulting in authentication bypass.
This issue has been patched in version 10.0.42.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://github.com/OneUptime/oneuptime/commit/2fd7ede52f60444710628d6c1b34dee2e…
security-advisories@github.com
https://github.com/OneUptime/oneuptime/releases/tag/10.0.42
security-advisories@github.com
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-5w5c-766x-265g
security-advisories@github.com