GoogleOSV:GHSA-M9HP-7R99-94H5Critical security issues in XML encoding in github.com/dexidp/dex
0.004 Low
EPSS
Percentile
73.7%
Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
encoding/xml instabilities:
- Element namespace prefix instability (CVE-2020-29511)
- Attribute namespace prefix instability (CVE-2020-29509)
- Directive comment instability (CVE-2020-29510)
Patches
Immediately update to Dex v2.27.0.
Workarounds
There are no known workarounds.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/russellhaering/goxmldsig | lt | 1.1.0 | |
| github.com/dexidp/dex | lt | 2.27.0 |
References
github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
github.com/dexidp/dex/releases/tag/v2.27.0
github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md
github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities
nvd.nist.gov/vuln/detail/CVE-2020-26290
pkg.go.dev/vuln/GO-2020-0050
Related
