When using federated identity management (authenticating via SAML through a third-party identity provider), an attacker injects additional data into a signed SAML response being transmitted to the service provider (Hitachi ID Bravura Security Fabric). The application successfully validates the signed values but uses the unsigned malicious values. An attacker with lower-privilege access to the application can inject the username of a high-privilege user to impersonate that user.
The vulnerability affects versions 11.0.0 - 11.1.3, 12.0.0 - 12.0.2, and 12.1.0 when authentication is being done through a third-party SAML Identity Provider such as Okta, Azure, or SecureAuth.
If your Hitachi ID Bravura Security Fabric solution authenticates via SAML with a third party service such as Okta, Azure, or SecureAuth, please check this knowledge base article for more information. The article contains details for requesting a patch from Hitachi ID if a member of our team has not already been in contact with you on this topic.
If you are not able to apply the recommended remediation we recommend you disable SAML integrations with third party Identity Providers and rely on built in authentication strategies.
Hitachi ID would like to thank Michael Ellis for notifying us of this vulnerability.