4 matches found
CVE-2023-28119
CVE-2023-28119 affects crewjam/saml (Go). Root cause: using flate.NewReader without input size limit allows unbounded decompression of HTTP request data, enabling a DoS by repeated requests that can crash the process. A fix is available in v0.4.13. Depending on the environment, exploitation is de...
CVE-2020-27846
CVE-2020-27846 is a signature verification vulnerability in crewjam/saml that can allow bypass of SAML authentication. The issue affects Grafana deployments including affected Grafana versions referenced in multiple advisories (e.g., Red Hat RHSA-2021:1859) and is scored with a high/critical impa...
CVE-2022-41912
Affected software: crewjam/saml Go library
CVE-2023-45683
CVE-2023-45683 affects the Go SAML library github.com/crewjam/saml. Affected versions fail to validate the ACS Location URI according to the parsed SAML binding, enabling an attacker to register a malicious Service Provider at the IdP and inject JavaScript in the ACS endpoint. This can cause Cros...