In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry.
The `Samly.State.Store.get_assertion/3` function may return expired session objects (assertions) instead of rejecting them. The `Samly.AuthHandler` module uses such a session retrieved from cache and does not verify its validity — it does not replace it with a new one, even after the validity period has expired. As a result, the access control mechanism based on SAML does not enforce proper session expiration for users.
An attacker possessing an expired SAML session token can still gain unauthorized access to protected application resources, bypassing access controls. This could lead to disclosure of confidential data, modification of resources, or system disruption.
The Samly package should be updated to version 1.4.0 or newer, which fixes the logic for validating expired sessions. Details of the change are available in the diff between versions 1.3.0 and 1.4.0 in the project repository.
Samly package for Elixir in versions prior to 1.4.0 (Dropbox Samly / handnot2/samly).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDropbox Samly
APPDropbox< 1.4.0
Related vulnerabilities
Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attacker...
Dropbox Lepton v1.2.1-185-g2a08b77 was discovered to contain a heap-buffer-overflow in the function aligned_de...
Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store...
io/ZlibCompression.cc in the decompression component in Dropbox Lepton 1.2.1 allows attackers to cause a denia...
A vulnerability was found in Dropbox merou. It has been classified as critical. Affected is the function add_p...