CVE-2022-41912

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-41912

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41912.json

Aliases

GHSA-j2jp-wvqg-wc2g
GO-2022-1129

Published

2022-11-28T15:15:10Z

Modified

2023-11-29T09:51:54.562946Z

Details

The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.

References

http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html
https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g
https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b

Affected packages

Git / github.com/crewjam/saml

Affected ranges

Type: GIT
Repo: https://github.com/crewjam/saml
Events: Introduced

0The exact introduced commit is unknown

Fixed

aee3fb1edeeaf1088fcb458727e0fd863d277f8b

Affected versions

0.*

0.1.0

0.2.0

v0.*

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8