Headline
GHSA-5mqj-xc49-246p: crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-28119
crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
High severity GitHub Reviewed Published Mar 22, 2023 in crewjam/saml
Package
gomod github.com/crewjam/saml (Go)
Affected versions
< 0.4.13
Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process.
References
- GHSA-5mqj-xc49-246p
- crewjam/saml@8e92368
Published to the GitHub Advisory Database
Mar 22, 2023
Related news
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.