CRITICAL 9.8
GHSA-3w4h-g9f5-j84p
Casdoor does not validate the AudienceRestriction element in SAML assertions
상세
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
Go / github.com/casdoor/casdoor
최초 영향 버전:
0 No fixed version published yet for github.com/casdoor/casdoor (go modules). Pin to a known-safe version or switch to an alternative.
참고
- https://nvd.nist.gov/vuln/detail/CVE-2026-9093 [ADVISORY]
- https://github.com/casdoor/casdoor [PACKAGE]
- https://kb.cert.org/vuls/id/780781 [WEB]