CVE-2022-41912: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

The crewjam/saml Go library versions prior to 0.4.9 were found to contain a critical authentication bypass vulnerability (CVE-2022-41912). The vulnerability was discovered and reported by Felix Wilhelm from Google Project Zero, and was publicly disclosed on November 28, 2022. This security flaw affects applications using the crewjam/saml package for SAML-based authentication (GitHub Advisory, NVD).

The vulnerability occurs when processing SAML responses that contain multiple Assertion elements. The flaw allows for potential authentication bypass scenarios, and has been assigned a CVSS v3.1 base score of 9.1 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impact to both confidentiality and integrity (GitHub Advisory).

The vulnerability can lead to unauthorized access to protected resources, as it allows attackers to bypass authentication mechanisms. With a CVSS score of 9.1, the impact is considered critical, particularly affecting the confidentiality and integrity of systems implementing the vulnerable library (GitHub Advisory).

The vulnerability has been fixed in version 0.4.9 of the crewjam/saml library. Users are strongly advised to upgrade to this patched version to protect against potential authentication bypasses (GitHub Advisory).