Denial Of Service (DoS)

github.com/crewjam/saml is vulnerable to Denial of Service DoS attacks. The vulnerability is due to the flate.NewReader function because it allows users to pass more than 1 MB of data to the processing functions, which will be decompressed server-side. After repeating the request a number of time...

CVE-2023-28119

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...

GHSA-5MQJ-XC49-246P crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possib...

CVE-2023-28119

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...

CVE-2023-28119

CVE-2023-28119 affects crewjam/saml (Go). Root cause: using flate.NewReader without input size limit allows unbounded decompression of HTTP request data, enabling a DoS by repeated requests that can crash the process. A fix is available in v0.4.13. Depending on the environment, exploitation is de...