CVE-2023-28119

EPSS 0.19%
Published 22.03.2023 20:15:12
Last modified 21.11.2024 07:54:26
Source security-advisories@github.com
Teams watchlist Login
Open Login

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Saml Project ≫ Saml Version0.4.12 SwPlatformgo

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.19%	0.408

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021

Patch

https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246p

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-28119

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28119

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28119

EUVD