Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01bXFqLXhjNDktMjQ2cM4AAyO-
crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process.
Permalink: https://github.com/advisories/GHSA-5mqj-xc49-246pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bXFqLXhjNDktMjQ2cM4AAyO-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-5mqj-xc49-246p, CVE-2023-28119
References:
- https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246p
- https://github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021
- https://nvd.nist.gov/vuln/detail/CVE-2023-28119
- https://github.com/advisories/GHSA-5mqj-xc49-246p
Blast Radius: 21.4
Affected Packages
go:github.com/crewjam/saml
Dependent packages: 207Dependent repositories: 716
Downloads:
Affected Version Ranges: < 0.4.13
Fixed in: 0.4.13
All affected versions: 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12
All unaffected versions: 0.4.13, 0.4.14