ghsa-52jx-g6m5-h735
Vulnerability from github
Published
2025-03-06 19:12
Modified
2025-03-14 20:32
Severity ?
VLAI Severity ?
Summary
Fleet has SAML authentication vulnerability due to improper SAML response validation
Details
Impact
In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:
- Forge authentication assertions, potentially impersonating legitimate users.
- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.
- If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.
This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration.
Patches
This issue is addressed in commit fc96cc4 and is available in Fleet version 4.64.2.
The following backport versions also address this issue:
- 4.63.2
- 4.62.4
- 4.58.1
- 4.53.2
Workarounds
If an immediate upgrade is not possible, Fleet users should temporarily disable single-sign-on (SSO) and use password authentication.
Credit
Thank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our responsible disclosure process.
For more information
If you have any questions or comments about this advisory:
- Email us at security@fleetdm.com
- Join #fleet in osquery Slack
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/fleetdm/fleet/v4"
},
"ranges": [
{
"events": [
{
"introduced": "4.64.0"
},
{
"fixed": "4.64.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/fleetdm/fleet/v4"
},
"ranges": [
{
"events": [
{
"introduced": "4.63.0"
},
{
"fixed": "4.63.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/fleetdm/fleet/v4"
},
"ranges": [
{
"events": [
{
"introduced": "4.62.0"
},
{
"fixed": "4.62.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/fleetdm/fleet/v4"
},
"ranges": [
{
"events": [
{
"introduced": "4.54.0"
},
{
"fixed": "4.58.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/fleetdm/fleet/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.53.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27509"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-06T19:12:27Z",
"nvd_published_at": "2025-03-06T19:15:27Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nIn vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:\n\n- Forge authentication assertions, potentially impersonating legitimate users.\n- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.\n- If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.\n\nThis could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. \n\n### Patches\n\nThis issue is addressed in commit [fc96cc4](https://github.com/fleetdm/fleet/commit/fc96cc4e91047250afb12f65ad70e90b30a7fb1c) and is available in Fleet version 4.64.2.\n\nThe following backport versions also address this issue: \n\n- 4.63.2\n- 4.62.4\n- 4.58.1\n- 4.53.2\n\n### Workarounds\n\nIf an immediate upgrade is not possible, Fleet users should temporarily disable [single-sign-on (SSO)](https://fleetdm.com/docs/deploy/single-sign-on-sso) and use password authentication.\n\n### Credit\n\nThank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our [responsible disclosure process](https://github.com/fleetdm/fleet/blob/main/SECURITY.md).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at security@fleetdm.com\n- Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
"id": "GHSA-52jx-g6m5-h735",
"modified": "2025-03-14T20:32:17Z",
"published": "2025-03-06T19:12:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-52jx-g6m5-h735"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27509"
},
{
"type": "WEB",
"url": "https://github.com/fleetdm/fleet/commit/718c95e47ad010ad6b8ceb3f3460e921fbfc53bb"
},
{
"type": "PACKAGE",
"url": "https://github.com/fleetdm/fleet"
},
{
"type": "WEB",
"url": "https://github.com/fleetdm/fleet/releases/tag/fleet-v4.64.2"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3505"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fleet has SAML authentication vulnerability due to improper SAML response validation"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…