GHSA-3w4h-g9f5-j84pCriticalCVSS 9.8
Casdoor does not validate the AudienceRestriction element in SAML assertions
🔗 CVE IDs covered (1)
📋 Description
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
🎯 Affected products1
- go/github.com/casdoor/casdoor:<= 1.1000.1-0.20260321120606-239e8bd69487