How severe is CVE-2023-26483?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2023-26483?

This is classified as CWE-409, which is a common weakness in software security.

CVE-2023-26483 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. This issue is fixed in version 0.9.0.

Related Vulnerabilities

CVE-2022-37439

MEDIUM

CVSS:5.5(Medium)

In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts t...

CWE-4092022

CVE-2017-16129

MEDIUM

CVSS:5.9(Medium)

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. ...

CWE-4092017

CVE-2025-0986

MEDIUM

CVSS:4.5(Medium)

IBM PowerVM Hypervisor FW1050.00 through FW1050.30 and FW1060.00 through FW1060.20 could allow a local user, under certain Linux processor combability mode configurations, to cause undetected data los...

CWE-4092025

CVE-2024-28180

MEDIUM

CVSS:4.3(Medium)

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memo...

CWE-4092024

CVE-2024-54016

MEDIUM

CVSS:4.3(Medium)

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upg...

CWE-4092024

CVE-2023-0475

MEDIUM

CVSS:6.5(Medium)

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

CWE-4092023