CVE-2023-26483 – github.com/russellhaering/gosaml2

Package

Manager: go
Name: github.com/russellhaering/gosaml2
Vulnerable Version: >=0 <0.9.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00217 pctl0.4428

Details

gosaml2 vulnerable to Denial Of Service Via Deflate Decompression Bomb ### Impact SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. ### Mitigation The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. ### Patches This issue is addressed in v0.9.0

Metadata

Created: 2023-03-02T23:12:47Z
Modified: 2024-05-20T21:49:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-6gc3-crp7-25w5/GHSA-6gc3-crp7-25w5.json
CWE IDs: ["CWE-409"]
Alternative ID: GHSA-6gc3-crp7-25w5
Finding: F159
Auto approve: 1