Github.Com Crewjam Saml vulnerabilities

CVE-2023-45683 [HIGH] CWE-79 Cross-site Scripting via missing Binding syntax validation Cross-site Scripting via missing Binding syntax validation ### Impact The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML S

CVE-2023-28119 [HIGH] CWE-770 crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reli

CVE-2022-41912 [CRITICAL] CWE-287 crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication ### Impact The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. ### Patches This issue has been corrected in version 0.4.9. ### Credit This issue was reported

CVE-2020-27846 [CRITICAL] CWE-115 XML Processing error in github.com/crewjam/saml XML Processing error in github.com/crewjam/saml ### Impact There are three vulnerabilities in the go `encoding/xml` package that can allow an attacker to forge part of a signed XML document. For details on this vulnerability see [xml-roundtrip-validator](https://github.com/mattermost/xml-roundtrip-validator) ### Patches In version 0.4.3, all XML input is validated prior to being parsed.