CVE-2022-41912

NameCVE-2022-41912
DescriptionThe crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1025187

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-crewjam-saml (PTS)sid0.4.12-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-crewjam-samlsource(unstable)0.4.10-11025187

Notes

https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g
https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b (v0.4.9)
https://bugs.chromium.org/p/project-zero/issues/detail?id=2368
Search for package or bug name: Reporting problems