Login Sign Up

CVE-2022-45597

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

ComponentSpace.Saml2 4.4.0 fails to validate SSL certificates at the application layer during SAML authentication, allowing man-in-the-middle attacks. This affects applications using this library for SAML-based single sign-on. The vendor disputes this as a vulnerability, claiming certificate validation is unnecessary within trusted relationships.

💻 Affected Systems

Products:
  • ComponentSpace.Saml2
Versions: 4.4.0
Operating Systems: All platforms running .NET applications
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using SAML authentication with this library; vendor disputes vulnerability classification.

📦 What is this software?

Saml by Componentspace

View all CVEs affecting Saml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept SAML assertions, impersonate users, gain unauthorized access to federated applications, and potentially compromise entire identity federation systems.

🟠

Likely Case

Man-in-the-middle attackers in privileged network positions could intercept and modify SAML traffic to impersonate legitimate users.

🟢

If Mitigated

With proper network segmentation and certificate validation enabled, risk reduces to trusted internal attacks only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires man-in-the-middle position; exploitation depends on network access to SAML traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: None

Restart Required: No

Instructions:

Vendor does not consider this a vulnerability; no official patch exists. Consider implementing certificate validation manually or using alternative SAML libraries.

🔧 Temporary Workarounds

Implement custom certificate validation

all

Add certificate validation logic in SAML configuration to verify certificate chains and signatures

Implement custom CertificateValidator class and configure Saml2Configuration.CertificateValidator

Use transport layer encryption

all

Ensure all SAML traffic uses HTTPS with proper certificate validation at transport layer

Configure application to require HTTPS and validate TLS certificates

🧯 If You Can't Patch

  • Isolate SAML traffic to trusted network segments only
  • Implement network monitoring for unusual SAML traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check if using ComponentSpace.Saml2 version 4.4.0 and review SAML configuration for certificate validation settings

Check Version:

Check package reference in .csproj file or NuGet package manager for ComponentSpace.Saml2 version

Verify Fix Applied:

Test SAML authentication with invalid certificates; system should reject them

📡 Detection & Monitoring

Log Indicators:

  • Failed SAML authentication attempts with invalid certificates
  • Unusual SAML assertion sources

Network Indicators:

  • SAML traffic over unencrypted channels
  • SAML assertions from unexpected IP addresses

SIEM Query:

source="saml" AND (certificate_validation="false" OR protocol!="https")

📊 Metadata

CVE ID: CVE-2022-45597
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-295
Published: March 24, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45597, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)