CVE-2023-45683: 
Linux Ubuntu vulnerability analysis and mitigation

The vulnerability (CVE-2023-45683) affects github.com/crewjam/saml, a SAML library for the Go language. The flaw was discovered in versions prior to 0.4.14, where the package fails to properly validate the ACS Location URI according to the SAML binding being parsed. This vulnerability was disclosed on October 14, 2023, and affects all versions of the library before version 0.4.14 (GitHub Advisory).

The vulnerability stems from insufficient validation of the ACS Location URI in relation to the SAML binding being parsed. This implementation flaw allows attackers to register malicious Service Providers at the Identity Provider (IdP) and inject JavaScript code in the ACS endpoint definition. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 MEDIUM by NIST and 7.1 HIGH by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability enables Cross-Site-Scripting (XSS) attacks in the IdP context during the redirection at the end of a SAML SSO Flow. After successful exploitation, an attacker can perform any authenticated action as the victim once the victim's browser has loaded the SAML IdP initiated SSO link for the malicious service provider. The impact is particularly significant because SP registration is commonly an unrestricted operation in IdPs, requiring no special permissions and often being publicly accessible to facilitate IdP interoperability (GitHub Advisory).

The vulnerability has been fixed in version 0.4.14 of the library. For users unable to upgrade, two workarounds are available: 1) perform external validation of URLs provided in SAML metadata, or 2) restrict the ability for end-users to upload arbitrary metadata. It is strongly recommended to upgrade to the patched version 0.4.14 for complete protection (GitHub Advisory).