Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yNjd2LTN2MzItZzZxNc4AA2gX
Cross-site Scripting via missing Binding syntax validation
Impact
The package does not validate the ACS Location URI according to the SAML binding being parsed.
If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow.
Consequently, an attacker may perform any authenticated action as the victim once the victim’s browser loaded the SAML IdP initiated SSO link for the malicious service provider.
Note: The severity is considered “High” because the SP registration is commonly an unrestricted operation in IdPs, hence not requiring particular permissions or publicly accessible to ease the IdP interoperability.
Patches
This issue is fixed in 0.4.14
Workarounds
Users of the package can perform external validation of URLs provided in SAML metadata, or restrict the ability for end-users to upload arbitrary metadata.
References
This issue was reported by Francesco Lacerenza from Doyensec.
Permalink: https://github.com/advisories/GHSA-267v-3v32-g6q5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNjd2LTN2MzItZzZxNc4AA2gX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Identifiers: GHSA-267v-3v32-g6q5, CVE-2023-45683
References:
- https://github.com/crewjam/saml/security/advisories/GHSA-267v-3v32-g6q5
- https://nvd.nist.gov/vuln/detail/CVE-2023-45683
- https://github.com/crewjam/saml/commit/b07b16cf83c4171d16da4d85608cb827f183cd79
- https://github.com/advisories/GHSA-267v-3v32-g6q5
Blast Radius: 20.3
Affected Packages
go:github.com/crewjam/saml
Dependent packages: 263Dependent repositories: 716
Downloads:
Affected Version Ranges: < 0.4.14
Fixed in: 0.4.14
All affected versions: 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13
All unaffected versions: 0.4.14