Описание
github.com/russellhaering/gosaml2 is vulnerable to NULL Pointer Dereference
Impact
In versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference.
Patches
The issue was patched in v0.7.0, released on March 2, 2022.
Workarounds
Callers to gosaml2 can use recover() to handle panics to mitigate a potential DoS.
References
See issue #59 for details.
Ссылки
- https://github.com/russellhaering/gosaml2/security/advisories/GHSA-prjq-f4q3-fvfr
- https://github.com/russellhaering/gosaml2/issues/59
- https://github.com/russellhaering/goxmldsig/issues/48
- https://github.com/russellhaering/gosaml2/pull/90
- https://github.com/russellhaering/gosaml2/commit/66e3b7affd622b8b24ea1e18845f045e46b23424
- https://github.com/russellhaering/gosaml2/releases/tag/v0.7.0
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOSAML2-608302
Пакеты
Наименование
github.com/russellhaering/gosaml2
go
Затронутые версииВерсия исправления
< 0.7.0
0.7.0
Наименование
github.com/russellhaering/goxmldsig
go
Затронутые версииВерсия исправления
< 1.1.1
1.1.1
Связанные уязвимости
CVSS3: 7.5
nvd
почти 5 лет назад
This affects all versions <0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.
CVSS3: 7.5
debian
почти 5 лет назад
This affects all versions <0.7.0 of package github.com/russellhaering/ ...