48 matches found
CVE-2023-28119 crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...
CVE-2023-28119 crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...
CVE-2023-28119
CVE-2023-28119 affects crewjam/saml (Go). Root cause: using flate.NewReader without input size limit allows unbounded decompression of HTTP request data, enabling a DoS by repeated requests that can crash the process. A fix is available in v0.4.13. Depending on the environment, exploitation is de...
PT-2023-21576 · Saml +1 · Saml +1
Name of the Vulnerable Software and Affected Versions: github.com/crewjam/saml versions prior to 0.4.13 Description: The issue arises from the package's use of flate.NewReader without limiting the size of the input. This allows a user to pass more than 1 MB of data in an HTTP request to the...
Crewjam Saml 安全漏洞
Crewjam Saml is a Go-based implementation of a codebase that interacts with Saml format files by the individual developers of Crewjam. A security vulnerability exists in Crewjam Saml versions prior to 0.4.13, which stems from not limiting the size of input to flate.NewReader...
GHSA-J2JP-WVQG-WC2G crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication
Impact The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. Patches This issue has been corrected in version 0.4.9. Credit This issue was reported by Felix Wilhelm from Google Project Zero...
crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication
Impact The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. Patches This issue has been corrected in version 0.4.9. Credit This issue was reported by Felix Wilhelm from Google Project Zero...
CVE-2022-41912
An authentication bypass flaw was discovered in the crewjam/saml go package. A remote unauthenticated attacker could trigger it by sending a SAML request. This would allow an escalation of privileges and then enable compromising system integrity...
CVE-2022-41912
The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version...
CVE-2022-41912
The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version...
CVE-2022-41912 crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements
The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version...
CVE-2022-41912 crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements
The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version...
CVE-2022-41912
Removed by vendor...
CVE-2022-41912
Affected software: crewjam/saml Go library
PT-2022-26143 · Unknown · Crewjam/Saml
Name of the Vulnerable Software and Affected Versions: crewjam/saml go library versions prior to 0.4.9 Description: The issue concerns an authentication bypass when processing SAML responses containing multiple Assertion elements. This has been corrected in version 0.4.9. There are no workarounds...
CVE-2022-41912 crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements
The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version...
GHSA-4HQ8-GMXX-H6W9 XML Processing error in github.com/crewjam/saml
Impact There are three vulnerabilities in the go encoding/xml package that can allow an attacker to forge part of a signed XML document. For details on this vulnerability see xml-roundtrip-validator Patches In version 0.4.3, all XML input is validated prior to being parsed...
XML Processing error in github.com/crewjam/saml
Impact There are three vulnerabilities in the go encoding/xml package that can allow an attacker to forge part of a signed XML document. For details on this vulnerability see xml-roundtrip-validator Patches In version 0.4.3, all XML input is validated prior to being parsed...
crewjam/saml: authentication bypass in saml authentication
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability...
Fedora 32 : grafana (2020-968067abfa)
update to upstream 7.3.6 Note regarding CVE-2020-27846: SAML is not supported in the open source version of Grafana, however the dependency on crewjam/saml is also present in the open source version. This update removes this dependency altogether. Note that Tenable Network Security has extracted...