GO-2023-1602

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-1602

Import Source

https://vuln.go.dev/ID/GO-2023-1602.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1602

Aliases

Published

2023-03-03T17:17:54Z

Modified

2024-05-20T16:03:47Z

Summary

Denial of service via deflate decompression bomb in github.com/russellhaering/gosaml2

Details

A bug in SAML authentication library can result in Denial of Service attacks.

Attackers can craft a "deflate"-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1602"
}

References

Affected packages

Go / github.com/russellhaering/gosaml2

Package

Name: github.com/russellhaering/gosaml2; View open source insights on deps.dev
Purl: pkg:golang/github.com/russellhaering/gosaml2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/russellhaering/gosaml2",
            "symbols": [
                "DecodeUnverifiedBaseResponse",
                "DecodeUnverifiedLogoutResponse",
                "SAMLServiceProvider.RetrieveAssertionInfo",
                "SAMLServiceProvider.ValidateEncodedLogoutRequestPOST",
                "SAMLServiceProvider.ValidateEncodedLogoutResponsePOST",
                "SAMLServiceProvider.ValidateEncodedResponse",
                "SAMLServiceProvider.validationContext",
                "maybeDeflate",
                "parseResponse"
            ]
        }
    ]
}