Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-28119

Published: 22/03/2023 Updated: 07/11/2023
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Saml Project

Vulnerability Summary

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

saml project saml 0.4.12

Vendor Advisories

Debian CVElist Bug Report Logs: golang-github-crewjam-saml: CVE-2023-28119
Debian Bug report logs - #1033753 golang-github-crewjam-saml: CVE-2023-28119 Package: src:golang-github-crewjam-saml; Maintainer for src:golang-github-crewjam-saml is Debian Go Packaging Team <team+pkg-go@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 31 Mar 2023 18:48:02 UTC Se ...
Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: The crewjam/saml go library contains a partial implementation of the SAML standard in golang Prior to version 0413, the package's use of `flateNewReader` does not limit the size of the input The user can pass more than 1 MB of data in the HTTP request to the processing functions, whi ...

References

CWE-770https://github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246phttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033753https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2023-28119
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4671unauthorizedCVE-2024-4776CVE-2024-3407CVE-2024-26026CVE-2024-32888wirelessCVE-2024-4656template injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook