CVE-2023-26483 — MEDIUM (5.3)

Q: How severe is CVE-2023-26483?

CVE-2023-26483 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-26483?

Check the references section above for vendor advisories and patch information. Affected products include: Gosaml2 Project Gosaml2.

Vulnerability Description

gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. This issue is fixed in version 0.9.0.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Gosaml2 Project	Gosaml2	< 0.9.0

Related Weaknesses (CWE)

CWE-409

References

https://github.com/russellhaering/gosaml2/commit/f9d66040241093e8702649baff50cc7Patch
https://github.com/russellhaering/gosaml2/releases/tag/v0.9.0Release Notes
https://github.com/russellhaering/gosaml2/security/advisories/GHSA-6gc3-crp7-25wVendor Advisory
https://pkg.go.dev/vuln/GO-2023-1602Third Party Advisory
https://github.com/russellhaering/gosaml2/commit/f9d66040241093e8702649baff50cc7Patch
https://github.com/russellhaering/gosaml2/releases/tag/v0.9.0Release Notes
https://github.com/russellhaering/gosaml2/security/advisories/GHSA-6gc3-crp7-25wVendor Advisory
https://pkg.go.dev/vuln/GO-2023-1602Third Party Advisory

FAQ

What is CVE-2023-26483?

CVE-2023-26483 is a vulnerability with a CVSS score of 5.3 (MEDIUM). gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library en...

How severe is CVE-2023-26483?

CVE-2023-26483 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-26483?

Check the references section above for vendor advisories and patch information. Affected products include: Gosaml2 Project Gosaml2.