MiracleLinux 8 : grafana-7.3.6-2.el8 (AXSA:2021-2087:03)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2021-2087:03 advisory. crewjam/saml: authentication bypass in saml authentication CVE-2020-27846 grafana: XSS via a query alias for the Elasticsearch and Testdata datasour...

EUVD-2023-0885

Malicious code in bioql PyPI...

EUVD-2022-7368

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2023-28119

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does...

Security Bulletin: Astronomer with IBM is vulnerable to remote attacks due to the crewjam saml package (CVE-2020-27846).

Summary crewjam saml is used by Astronomer with IBM as part of identity verification. Vulnerability Details CVEID:CVE-2020-27846 DESCRIPTION: crewjam saml could allow a remote attacker to bypass security restrictions, caused by a signature verification vulnerability. By sending a specially-crafte...

BIT-GRAFANA-2020-27846

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability...

Security Bulletin: IBM Storage Ceph is vulnerable to improper authentication in Crewjam/SAML [CVE-2022-41912]

Summary Crewjam/SAML is used by IBM Storage Ceph as part of RGW and in assorted other locations CVE-2022-41912 This bulletin identifies the steps to take to address the vulnerability in Crewjam/SAML. Vulnerability Details CVEID:CVE-2022-41912 DESCRIPTION: Crewjam saml could allow a remote attacke...

Rocky Linux 8 : grafana (RLSA-2021:1859)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:1859 advisory. - Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. CVE-2020-24303 - A signature verification vulnerability...

SUSE CVE-2020-27846

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability...

GO-2023-2114 Cross-site scripting via missing binding syntax validation in github.com/crewjam/saml

The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting XSS in the IdP context durin...

CVE-2023-45683

A flaw was found in crewjam SAML, where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, using this vulnerability...

CVE-2023-45683 Cross site scripting via missing binding syntax validation In ACS location in github.com/crewjam/saml

github.com/crewjam/saml is a saml library for the go language. In affected versions the package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the...

GO-2023-1664 Denial of service via deflate compression bomb in github.com/crewjam/saml

Denial of service via deflate compression bomb in github.com/crewjam/saml...

Grafana 7.3.0-beta1 < 8.5.24, 9.x < 9.2.17, 9.3.x < 9.3.13, 9.4.x < 9.4.9 DoS Vulnerability

Grafana is prone to a denial of service DoS vulnerability in the crewjam/saml library used for SAML integration. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Denial Of Service (DoS)

github.com/crewjam/saml is vulnerable to Denial of Service DoS attacks. The vulnerability is due to the flate.NewReader function because it allows users to pass more than 1 MB of data to the processing functions, which will be decompressed server-side. After repeating the request a number of time...

GHSA-5MQJ-XC49-246P crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possib...

crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possib...

CVE-2023-28119

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...

UBUNTU-CVE-2023-28119

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...

CVE-2023-28119 crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...