もっと詳しく

Impact

In versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference.

Patches

The issue was patched in v0.7.0, released on March 2, 2022.

Workarounds

Callers to gosaml2 can use recover() to handle panics to mitigate a potential DoS.

References

See issue #59 for details.

References