Main Vulnerability Database SB2023040669

SB2023040669 - Denial of service in SAML library for go

Published: April 6, 2023

Security Bulletin ID SB2023040669

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-28119)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to flate.NewReader does not limit the size of the input. A remote attacker can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021
https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246p