Security News > 2021 > June > Vulnerability in Lasso Library Impacts Products From Cisco, Akamai
A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions.
The vulnerability, tracked as CVE-2021-28091, was initially reported to Akamai as it was discovered in the company's Enterprise Application Access product, which uses Lasso to verify SAML assertions for applications when a customer configures SAML authentication with third-party identity providers.
Further analysis by Akamai showed that the flaw, which allows an attacker to impersonate valid users, was introduced by the use of Lasso and products from other vendors are affected as well.
Akamai determined that the vulnerability also impacts the SOGo and PacketFence packages maintained by Inverse, which Akamai acquired recently.
Cisco has also confirmed the use of the Lasso library and the networking giant is working on determining which of its products are impacted.
Lasso developers patched the vulnerability on June 1 with the release of version 2.7.0.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-04 | CVE-2021-28091 | Improper Verification of Cryptographic Signature vulnerability in multiple products Lasso all versions prior to 2.7.0 has improper verification of a cryptographic signature. | 7.5 |