[midPoint] Security Advisory: CSRF protection was not working if user logged using SAML2 or OIDC

[Tony Tkacik]

Date: 20. 9. 2023 
Severity: High 
Affected versions: All midPoint versions prior to 4.4.6, 4.7.2 
Fixed in versions: 4.8 (unreleased), 4.7.2, 4.4.6, 4.6.2 (unreleased) 


Description 


CSRF vulnerability exists if midPoint is configured to use remote authentication using SAML 2 or OIDC and user was authorized using these providers. Users authenticated using built-in login form are not affected. 


Severity and Impact 

This is High Severity Issue 

Normal built-in midPoint login is not affected, but it is possible to construct CSRF attack for logged-in user if remote authentication via SAML 2 or OIDC was used to log in. 


Mitigation 

Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release. 
Users of midPoint 4.6 should use build from support branch. 


Discussion and Explanation 

During remote authentication sequence token-based CSRF protection (provided by Spring Framework) needs to be disabled for session, but the issue was that it was not automatically re-enabled once authentication was completed. The fixed code contains improved conditions and token based CSRF is enforced once remote authentication is completed. 

This advisory is also available at [ https://docs.evolveum.com/midpoint/reference/security/advisories/020-csrf-not-working-when-using-saml2/ | https://docs.evolveum.com/midpoint/reference/security/advisories/020-csrf-not-working-when-using-saml2/ ] 

-- 
Anton Tkáčik
Software Developer
evolveum.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230921/a5e669b6/attachment-0001.htm>