Source: golang-github-crewjam-saml Version: 0.4.12-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-crewjam-saml. CVE-2023-45683[0]: | github.com/crewjam/saml is a saml library for the go language. In | affected versions the package does not validate the ACS Location URI | according to the SAML binding being parsed. If abused, this flaw | allows attackers to register malicious Service Providers at the IdP | and inject Javascript in the ACS endpoint definition, achieving | Cross-Site-Scripting (XSS) in the IdP context during the redirection | at the end of a SAML SSO Flow. Consequently, an attacker may perform | any authenticated action as the victim once the victim’s browser | loaded the SAML IdP initiated SSO link for the malicious service | provider. Note: SP registration is commonly an unrestricted | operation in IdPs, hence not requiring particular permissions or | publicly accessible to ease the IdP interoperability. This issue is | fixed in version 0.4.14. Users unable to upgrade may perform | external validation of URLs provided in SAML metadata, or restrict | the ability for end-users to upload arbitrary metadata. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45683 https://www.cve.org/CVERecord?id=CVE-2023-45683 [1] https://github.com/crewjam/saml/security/advisories/GHSA-267v-3v32-g6q5 Regards, Salvatore