Exploit Report

Computer Security And Bug Information


CVE Title
Published Date2023-03-03T23:15Z
Modified Date2023-03-06T04:17Z
CWE TypeCWE-409
Descriptiongosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. This issue is fixed in version 0.9.0.
By clicking these links you will leave this website. We do not endorse and will not be held accountable for any activity on external sites.
Reference URLhttps://github.com/russellhaering/gosaml2/commit/f9d66040241093e8702649baff50cc70d2c683c0
Reference DescriptionMISC https://github.com/russellhaering/gosaml2/commit/f9d66040241093e8702649baff50cc70d2c683c0
Reference URLhttps://github.com/russellhaering/gosaml2/security/advisories/GHSA-6gc3-crp7-25w5
Reference DescriptionMISC https://github.com/russellhaering/gosaml2/security/advisories/GHSA-6gc3-crp7-25w5
Reference URLhttps://github.com/russellhaering/gosaml2/releases/tag/v0.9.0
Reference DescriptionMISC https://github.com/russellhaering/gosaml2/releases/tag/v0.9.0
Reference URLhttps://pkg.go.dev/vuln/GO-2023-1602
Reference DescriptionMISC https://pkg.go.dev/vuln/GO-2023-1602
  • No CVSS data for this CVE

This site's data is aggregated programmatically and provided "as is" without any representations or warranties, express or implied. Exploit.report is not affiliated with the The MITRE Corporation, U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), or US government in any way. CVE and the CVE logo are registered trademarks of The MITRE Corporation

© 2022 Exploit.Report | Data | Contact | Privacy Policy | Articles