SB20260428210 - Multiple vulnerabilities in gosaml2

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Check for Unusual or Exceptional Conditions (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of empty decrypted data in DecryptBytes() when processing a crafted encrypted SAML response over HTTP POST to the ACS endpoint. A remote attacker can send a specially crafted encrypted assertion to cause a denial of service.

Exploitation requires the service provider to have encrypted assertion support configured, and no valid signature is required because decryption occurs before assertion signature validation.

2) Improper Verification of Cryptographic Signature (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper verification of cryptographic signature in ValidateEncodedLogoutRequestPOST when processing SAML LogoutRequest messages sent to the single logout endpoint. A remote attacker can send a specially crafted unsigned logout request to cause a denial of service.

Unsigned requests may be accepted even when signature validation is configured to be enforced.

Remediation

Install update from vendor's website.

References

• https://github.com/russellhaering/gosaml2/security/advisories/GHSA-hwqm-qvj9-4jr2
• https://github.com/advisories/GHSA-hwqm-qvj9-4jr2
• https://github.com/russellhaering/gosaml2/security/advisories/GHSA-pcgw-qcv5-h8ch