-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
saml@0.3.0 vulnerability: Authentication Bypass #167
Comments
SAML has an issue with authentication as it is. I brought it up almost a year ago and it’s not been addressed. Hoping someone takes this seriously. |
that is unfortunate. I am rolling out subspace in pre-production (only for the development team). I will try to investigate this issue on my free time, but if I find myself unable to come up with an upgrade solution, I think I will be forced to move to a less feature-rich solution. SSO support was the main selling point of subspace. I am trying to volunteer to help with subspace but I have zero response from the current maintainers. This feels like an abandoned project without formal acknowledgement. |
from https://pkg.go.dev/github.com/crewjam/saml#readme-breaking-changes
It makes it sound like the changes shouldn't break, but I have been investigating a little and many methods indeed cease to exist. I am still investigating how extensive should the changes be, but my lack of experience with go is hindering me a little. |
I checked the dependencies through a vulnerability scanner:
It's better to upgrade crewjam/saml to 0.4.3+. There are several significant changes in API, so it wont be easy
crewjam/saml@v0.3.1...v0.4.5
The text was updated successfully, but these errors were encountered: