Impact
In versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference.
Patches
The issue was patched in v0.7.0, released on March 2, 2022.
Workarounds
Callers to gosaml2 can use recover() to handle panics to mitigate a potential DoS.
References
See issue #59 for details.
References
- https://github.com/russellhaering/gosaml2/security/advisories/GHSA-prjq-f4q3-fvfr
- https://github.com/russellhaering/gosaml2/issues/59
- https://github.com/advisories/GHSA-gq5r-cc4w-g8xf
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOSAML2-608302
- https://github.com/advisories/GHSA-prjq-f4q3-fvfr