GHSA-j2jp-wvqg-wc2g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j2jp-wvqg-wc2g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-j2jp-wvqg-wc2g/GHSA-j2jp-wvqg-wc2g.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-j2jp-wvqg-wc2g
- Aliases
- Related
- Published
- 2022-11-29T23:55:54Z
- Modified
- 2023-11-01T05:00:05.964355Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication
- Details
-
Impact
The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.
Patches
This issue has been corrected in version 0.4.9.
Credit
This issue was reported by Felix Wilhelm from Google Project Zero.
- Database specific
{ "nvd_published_at": "2022-11-28T15:15:00Z", "github_reviewed_at": "2022-11-29T23:55:54Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-287" ] }- References
-
- https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g
- https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
- https://nvd.nist.gov/vuln/detail/CVE-2022-41912
- https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b
- https://github.com/crewjam/saml
- https://github.com/crewjam/saml/releases/tag/v0.4.9
- https://pkg.go.dev/vuln/GO-2022-1129
- http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html
Affected packages
Go / github.com/crewjam/saml
Package
- Name
- github.com/crewjam/saml
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/crewjam/saml