Bug 2176466 (CVE-2023-26483) - CVE-2023-26483 gosaml2: Denial of service via `deflate`-compressed request
Summary: CVE-2023-26483 gosaml2: Denial of service via `deflate`-compressed request
Keywords:
Status: NEW
Alias: CVE-2023-26483
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2176467
TreeView+ depends on / blocked
 
Reported: 2023-03-08 13:13 UTC by Pedro Sampaio
Modified: 2023-07-07 08:31 UTC (History)
0 users

Fixed In Version: gosaml2 0.9.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the gosaml2 package library. This issue may allow attackers to craft a deflate-compressed request, which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2023-03-08 13:13:13 UTC
gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. This issue is fixed in version 0.9.0.

References:

https://github.com/russellhaering/gosaml2/commit/f9d66040241093e8702649baff50cc70d2c683c0
https://github.com/russellhaering/gosaml2/security/advisories/GHSA-6gc3-crp7-25w5
https://github.com/russellhaering/gosaml2/releases/tag/v0.9.0
https://pkg.go.dev/vuln/GO-2023-1602


Note You need to log in before you can comment on or make changes to this bug.