mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
Merge commit from fork
* fix(saml): cross-tenant account takeover via SAML domain claiming * chore(changelog): add PR # * fix(api): bind SAML tokens to validated domain - Reject SAML assertions with mismatched email domains - Issue SAML tokens from the validated ACS tenant - Add regression coverage for cross-tenant SAML token issuance * fix(api): resolve SAML tenant inside RLS context - Load the SAML tenant relation before leaving the RLS transaction - Avoid lazy tenant lookups during the SAML ACS finish flow --------- Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
This commit is contained in:
@@ -28,6 +28,14 @@ All notable changes to the **Prowler API** are documented in this file.
|
||||
|
||||
---
|
||||
|
||||
## [1.31.3] (Prowler v5.30.3)
|
||||
|
||||
### 🔐 Security
|
||||
|
||||
- SAML logins now link to an existing account only when the asserted email domain matches the ACS endpoint and the user is already a member of that domain's tenant, fixing a cross-tenant account takeover [(GHSA-h8m9-jgf8-vwvp)](https://github.com/prowler-cloud/prowler/security/advisories/GHSA-h8m9-jgf8-vwvp) [(#XXXXX)](https://github.com/prowler-cloud/prowler/pull/XXXXX)
|
||||
|
||||
---
|
||||
|
||||
## [1.31.2] (Prowler v5.30.2)
|
||||
|
||||
### 🔄 Changed
|
||||
|
||||
Reference in New Issue
Block a user