CVE-2023-28119 – CVE-2023-28119 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-28119?

CVE-2023-28119 has a CVSS score of 7.5 (HIGH). CVE-2023-28119 is a denial-of-service vulnerability in the crewjam/saml Go library where unlimited decompression of SAML requests can crash the server process. Any application using vulnerable versions of this library for SAML authentication is affected, particularly web applications and services implementing SAML SSO.

📋 TL;DR

CVE-2023-28119 is a denial-of-service vulnerability in the crewjam/saml Go library where unlimited decompression of SAML requests can crash the server process. Any application using vulnerable versions of this library for SAML authentication is affected, particularly web applications and services implementing SAML SSO.

💻 Affected Systems

Products:

crewjam/saml Go library

Versions: All versions prior to 0.4.13

Operating Systems: All platforms running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the library's SAML processing functions without additional input validation is vulnerable.

📦 What is this software?

Saml by Saml Project

View all CVEs affecting Saml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through repeated exploitation causing process termination, potentially leading to authentication failures and application downtime.

🟠

Likely Case

Service disruption through resource exhaustion, requiring process restart and causing temporary authentication failures.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place, potentially causing degraded performance but no service disruption.

🌐 Internet-Facing: HIGH - SAML endpoints are typically internet-facing for SSO, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal SAML endpoints could still be exploited by internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted SAML requests but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.13

Vendor Advisory: https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246p

Restart Required: Yes

Instructions:

1. Update go.mod to require github.com/crewjam/saml v0.4.13 or higher. 2. Run 'go mod tidy'. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Input size limiting at reverse proxy

all

Configure reverse proxy to limit request body size for SAML endpoints

nginx: client_max_body_size 1m;
Apache: LimitRequestBody 1048576

Rate limiting SAML endpoints

all

Implement rate limiting to prevent repeated exploitation attempts

nginx: limit_req_zone $binary_remote_addr zone=saml:10m rate=10r/s;
limit_req zone=saml burst=20 nodelay;

🧯 If You Can't Patch

Implement WAF rules to block oversized SAML requests or suspicious compression patterns
Deploy additional monitoring and alerting for process crashes related to SAML endpoints

🔍 How to Verify

Check if Vulnerable:

Check go.mod or vendor dependencies for crewjam/saml version <0.4.13

Check Version:

go list -m all | grep crewjam/saml

Verify Fix Applied:

Verify go.mod requires github.com/crewjam/saml v0.4.13+ and run 'go list -m all | grep saml'

📡 Detection & Monitoring

Log Indicators:

Process crashes or restarts after SAML requests
Unusually large HTTP requests to SAML endpoints
High memory usage spikes

Network Indicators:

Repeated POST requests to /saml/* endpoints with large payloads
Requests with Content-Encoding: deflate and large size

SIEM Query:

source="application.logs" AND ("process terminated" OR "out of memory") AND uri_path="/saml/*"

📊 Metadata

CVE ID: CVE-2023-28119

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: March 22, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28119, you might also want to check these: