CVE-2024-36383 – This vulnerability in Logpoint SAML Authenticat... (How to Fix)

Q: What is the severity of CVE-2024-36383?

CVE-2024-36383 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Logpoint SAML Authentication allows attackers to delete arbitrary files by injecting crafted filenames into SAML SSO-URL responses. This can cause login outages for SAML authentication. Organizations using Logpoint SAML Authentication before version 6.0.3 are affected.

📋 TL;DR

This vulnerability in Logpoint SAML Authentication allows attackers to delete arbitrary files by injecting crafted filenames into SAML SSO-URL responses. This can cause login outages for SAML authentication. Organizations using Logpoint SAML Authentication before version 6.0.3 are affected.

💻 Affected Systems

Products:

Logpoint SAML Authentication

Versions: All versions before 6.0.3

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using SAML authentication regardless of configuration.

📦 What is this software?

Saml Authentication by Logpoint

View all CVEs affecting Saml Authentication →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical system files could be deleted, causing complete SAML authentication failure and preventing all user logins via SAML.

🟠

Likely Case

Attackers delete configuration or temporary files, causing intermittent login failures and service disruption.

🟢

If Mitigated

With proper input validation and file permission restrictions, impact is limited to non-critical files in isolated directories.

🌐 Internet-Facing: MEDIUM - Exploitation requires access to SAML SSO endpoints, which are typically internet-facing for authentication.

🏢 Internal Only: LOW - The vulnerability specifically affects SAML authentication flows, which are primarily external-facing interfaces.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious SAML responses but doesn't require authentication to the target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.3

Vendor Advisory: https://servicedesk.logpoint.com/hc/en-us/articles/19128172110621-Arbitrary-file-deletion-through-URL-Injection-to-SAML-SSO-URL-Response

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade Logpoint SAML Authentication to version 6.0.3 or later. 3. Restart the SAML authentication service. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML authentication and use alternative authentication methods.

Network Access Restrictions

all

Restrict access to SAML endpoints to trusted IP addresses only.

🧯 If You Can't Patch

Implement strict input validation for SAML state parameters
Apply file system permissions to restrict deletion of critical files

🔍 How to Verify

Check if Vulnerable:

Check Logpoint SAML Authentication version. If version is below 6.0.3, the system is vulnerable.

Check Version:

Check Logpoint admin interface or consult Logpoint documentation for version checking.

Verify Fix Applied:

Verify the version is 6.0.3 or higher and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Unexpected file deletion events in system logs
SAML authentication failures with unusual state parameters

Network Indicators:

Unusual SAML response patterns with long or crafted state parameters

SIEM Query:

Search for file deletion events in system logs correlated with SAML authentication attempts containing unusual state parameter values.

📊 Metadata

CVE ID: CVE-2024-36383

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-706

Published: May 27, 2024

Last Updated: June 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36383, you might also want to check these: