Lasso Node Vulnerability

CRITICAL (9.8)
cwe-843entr-ouventjavalassorcesamlvulnerability-type

Threat Intelligence

Low Risk
EPSS Score: 0.09% chance of exploitation (percentile: 27%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Entr'ouvert Lasso is an open-source, Java-based framework for building web applications. The lasso_node_impl_init_from_xml functionality in version 2.5.1 and 2.8.2 allows a type confusion vulnerability that can lead to arbitrary code execution when processing SAML responses. This vulnerability poses a significant risk to organizations using Entr'ouvert Lasso, as it could allow attackers to execute malicious code on their servers.

Am I affected?

You're affected if you use A type confusion vulnerability exists. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

How to fix

  1. Upgrade to Entr'ouvert Lasso 3.0.0 or later from the official GitHub repository (https://github.com/entr-ouvert/lasso).
  2. Immediate mitigations:
  3. Restrict network access to your Entr'ouvent Lasso instance (firewall it from the public internet)
  4. Audit SAML response processing for suspicious activity patterns
  5. Monitor for unauthorized code execution attempts

References