Bug 2244549 (CVE-2023-45683)

Summary: CVE-2023-45683 github.com/crewjam/saml: Cross-Site-Scripting (XSS) in github.com/crewjam/saml
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, gparvin, jburrell, njean, owatkins, pahickey, rogbas, stcannon, teagle, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: crewjam/saml 0.4.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in crewjam SAML, where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, using this vulnerability to steal the victim's cookie-based authentication credentials.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244550    
Bug Blocks: 2244548    

Description Marco Benatto 2023-10-16 22:53:15 UTC 
github.com/crewjam/saml is a saml library for the go language. In affected versions the package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim’s browser loaded the SAML IdP initiated SSO link for the malicious service provider. Note: SP registration is commonly an unrestricted operation in IdPs, hence not requiring particular permissions or publicly accessible to ease the IdP interoperability. This issue is fixed in version 0.4.14. Users unable to upgrade may perform external validation of URLs provided in SAML metadata, or restrict the ability for end-users to upload arbitrary metadata.

https://github.com/crewjam/saml/commit/b07b16cf83c4171d16da4d85608cb827f183cd79
https://github.com/crewjam/saml/security/advisories/GHSA-267v-3v32-g6q5
Comment 1 Marco Benatto 2023-10-16 22:54:00 UTC 
Created golang-github-crewjam-saml tracking bugs for this issue:

Affects: fedora-all [bug 2244550]