CVE-2022-41912: crewjam/saml go library is vulnerable to signature bypass via multiple Assertion elements
First published: Mon Nov 28 2022(Updated: )
An authentication bypass flaw was discovered in the crewjam/saml go package. A remote unauthenticated attacker could trigger it by sending a SAML request. This would allow an escalation of privileges and then enable compromising system integrity.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Saml Project Saml | <0.4.9 | |
| redhat/crewjam/saml | <0.4.9 | 0.4.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/170356/crewjam-saml-Signature-Bypass.html
- https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b
- https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2149186
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2149187
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2149188
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2151477
- https://access.redhat.com/errata/RHSA-2022:9040
- https://access.redhat.com/security/cve/cve-2022-41912
- https://access.redhat.com/errata/RHSA-2022:9108
- https://access.redhat.com/errata/RHSA-2023:0032
- https://access.redhat.com/errata/RHSA-2023:0237
- https://access.redhat.com/errata/RHSA-2023:0630
- https://access.redhat.com/errata/RHSA-2023:0574
- https://access.redhat.com/errata/RHSA-2023:3642
- https://bugzilla.redhat.com/show_bug.cgi?id=2149181
- https://www.cve.org/CVERecord?id=CVE-2022-41912 https://nvd.nist.gov/vuln/detail/CVE-2022-41912 https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-41912?
CVE-2022-41912 is an authentication bypass flaw in the crewjam/saml go package.
What is the severity of CVE-2022-41912?
CVE-2022-41912 has a severity rating of 9.1 (critical).
How does CVE-2022-41912 affect the crewjam/saml go library?
CVE-2022-41912 affects the crewjam/saml go library prior to version 0.4.9.
How can I fix CVE-2022-41912?
To fix CVE-2022-41912, upgrade to version 0.4.9 of the crewjam/saml go library.
Are there any workarounds for CVE-2022-41912?
No, there are no workarounds for CVE-2022-41912 other than upgrading to version 0.4.9.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/weakness
- agent/first-publish-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-41912
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/references
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- vendor/saml project
- canonical/saml project saml
- package-manager/redhat