github.com/russellhaering/gosaml2 is vulnerable to NULL Pointer Dereference
High severity
GitHub Reviewed
Published
Nov 10, 2022
in
russellhaering/gosaml2
•
Updated May 20, 2024
Description
Published to the GitHub Advisory Database
Nov 15, 2022
Reviewed
Nov 15, 2022
Last updated
May 20, 2024
Impact
In versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference.
Patches
The issue was patched in v0.7.0, released on March 2, 2022.
Workarounds
Callers to
gosaml2
can userecover()
to handle panics to mitigate a potential DoS.References
See issue #59 for details.
References