Headline
GHSA-6h53-q94j-348w: RobotsAndPencils go-saml authentication bypass vulnerability
RobotsAndPencils go-saml, a SAML client library written in Go, contains an authentication bypass vulnerability in all known versions. This is due to how the xmlsec1 command line tool is called internally to verify the signature of SAML assertions. When xmlsec1 is used without defining the enabled key data, the origin of the public key for the signature verification is, unfortunately, not restricted. That means an attacker can sign the SAML assertions themselves and provide the required public key (e.g. an RSA key) directly embedded in the SAML token. Projects still using RobotsAndPencils/go-saml should move to another SAML library or alternatively remove support for SAML from their projects. The vulnerability can likely temporarily be fixed by forking the go-saml project and adding the command line argument --enabled-key-data and specifying a value such as x509 or raw-x509-cert when calling the xmlsec1 binary in the verify function. Please note that this workaround must be carefully tested before it can be used.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-48703
RobotsAndPencils go-saml authentication bypass vulnerability
High severity GitHub Reviewed Published Aug 5, 2024 to the GitHub Advisory Database
Package
gomod github.com/RobotsAndPencils/go-saml (Go)
Affected versions
<= 0.0.0-20230606195814-29020529affc
RobotsAndPencils go-saml, a SAML client library written in Go, contains an authentication bypass vulnerability in all known versions. This is due to how the xmlsec1 command line tool is called internally to verify the signature of SAML assertions. When xmlsec1 is used without defining the enabled key data, the origin of the public key for the signature verification is, unfortunately, not restricted. That means an attacker can sign the SAML assertions themselves and provide the required public key (e.g. an RSA key) directly embedded in the SAML token. Projects still using RobotsAndPencils/go-saml should move to another SAML library or alternatively remove support for SAML from their projects. The vulnerability can likely temporarily be fixed by forking the go-saml project and adding the command line argument --enabled-key-data and specifying a value such as x509 or raw-x509-cert when calling the xmlsec1 binary in the verify function. Please note that this workaround must be carefully tested before it can be used.
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-48703
- https://securitylab.github.com/advisories/GHSL-2023-121_go-saml__archived_
Published to the GitHub Advisory Database
Aug 5, 2024