7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28119

CVE-2023-28119: crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-28119

CVE-2023-28119:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/crewjam/saml	go	< 0.4.13	0.4.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from direct use of flate.NewReader in SAML request/response processing paths without size limitations. The patch replaces these with newSaferFlateReader that enforces a 10MB limit. The affected functions are clearly shown in the diff:- identity_provider.go line 363 (SAMLRequest handling)- service_provider.go line 1524 (logout response validation). Both locations decompressed user-controlled input without resource constraints, matching the CWE-770 description of unlimited allocation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-28119: crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

CVE-2023-28119:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

7.5

7.5

Basic Information

Basic Information

CVE-2023-28119: crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-28119: crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

CVE-2023-28119:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Basic Information

Basic Information

CVE-2023-28119: crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI