CVE-2022-41912 The crewjam/saml go library before version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9.

If your application is using crewjam/saml, you should upgrade to the latest version as soon as possible.

Crewjam/saml versions prior to 0.4.9 are vulnerable to an cross-site scripting (XSS) attack when handling SAML authentication responses. This issue has been corrected in crewjam/saml 0.4.9. There are no workarounds other than upgrading to a fixed version.

Crewjam/saml versions prior to 0.3.0 are vulnerable to an XSS attack when handling SAML authentication responses. This issue has been corrected in crewjam/saml 0.3.0. There are no workarounds other than upgrading to a fixed version.

Crewjam/saml versions prior to 0.2.5 is vulnerable to an XSS attack when handling SAML authentication responses. This issue has been corrected in crewjam/saml 0.2.7. There are no workarounds other than upgrading to a fixed version.

Crewjam/saml versions prior to 0.2.3 is vulnerable to an XSS attack when handling SAML authentication responses. This issue has been corrected in crewjam/saml 0.2.5. There are no workarounds other than upgrading to a fixed version.

Crewjam/saml versions prior to 0.1.0 is vulnerable to an XSS attack when handling SAML authentication responses. This issue

Crewjam/saml version 0.4.9

Crewjam/saml versions prior to 0.4.9 are vulnerable to an cross-site scripting (XSS) attack when handling SAML authentication responses. This issue has been corrected in crewjam/saml 0.4.9. There are no workarounds other than upgrading to a fixed version as soon as possible.

Crewjam/saml technical details

Crewjam/saml uses OpenID Connect as the authentication provider for SAML.
For more information about the vulnerability, see https://github.com/crewjam/saml-saas-new-security-update

Timeline

Published on: 11/28/2022 15:15:00 UTC
Last modified on: 12/01/2022 20:20:00 UTC

References