Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
gosaml2 vulnerable to Denial of Service via deflate decompression bomb
Vulnerability Description
gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. This issue is fixed in version 0.9.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
对高度压缩数据的处理不恰当(数据放大攻击)
Vulnerability Title
gosaml2 安全漏洞
Vulnerability Description
gosaml2是一个应用软件。提供了一个基于etree 和goxmldsig(纯XML数字签名的Go实现)的服务提供商的SAML 2.0实现功能。 gosaml2存在安全漏洞,该漏洞源于在处理过程中会消耗比原始请求大得多的内存,从而导致内存耗尽和进程被杀死。
CVSS Information
N/A
Vulnerability Type
N/A