Lucene search

GoogleOSV:GO-2023-1602

HistoryMar 03, 2023 - 5:17 p.m.

Denial of service via deflate decompression bomb in github.com/russellhaering/gosaml2

2023-03-0317:17:54

Google

osv.dev

denial of service

saml authentication

github.com/russellhaering/gosaml2

deflate decompression bomb

memory exhaustion

process termination

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

44.9%

JSON

A bug in SAML authentication library can result in Denial of Service attacks.

Attackers can craft a “deflate”-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed.

CPENameOperatorVersion
github.com/russellhaering/gosaml2lt0.9.0

CPE	Name	Operator	Version
	github.com/russellhaering/gosaml2	lt	0.9.0

References

github.com/advisories/GHSA-6gc3-crp7-25w5

github.com/russellhaering/gosaml2/commit/f9d66040241093e8702649baff50cc70d2c683c0

github.com/russellhaering/gosaml2/releases/tag/v0.9.0

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

44.9%

JSON

Related for OSV:GO-2023-1602