reports/GO-2021-0058.yaml - vuln - Git at Google

 module: github.com/crewjam/saml
 additional_packages:
   - module: github.com/crewjam/saml
     package: github.com/crewjam/saml/samlidp
     versions:
       - fixed: v0.4.3
   - module: github.com/crewjam/saml
     package: github.com/crewjam/saml/samlsp
     versions:
       - fixed: v0.4.3
 versions:
   - fixed: v0.4.3
 description: |
   Due to the behavior of encoding/xml, a crafted XML document may cause
   XML Digital Signature validation to be entirely bypassed, causing an
   unsigned document to appear signed.
 published: 2021-04-14T12:00:00Z
 cve: CVE-2020-27846
 symbols:
   - IdpAuthnRequest.Validate
   - ServiceProvider.ParseXMLResponse
   - ServiceProvider.ValidateLogoutResponseForm
   - ServiceProvider.ValidateLogoutResponseRedirect
 links:
   commit: https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053
   context:
     - https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
	module: github.com/crewjam/saml
	additional_packages:
	- module: github.com/crewjam/saml
	package: github.com/crewjam/saml/samlidp
	versions:
	- fixed: v0.4.3
	- module: github.com/crewjam/saml
	package: github.com/crewjam/saml/samlsp
	versions:
	- fixed: v0.4.3
	versions:
	- fixed: v0.4.3
	description: \|
	Due to the behavior of encoding/xml, a crafted XML document may cause
	XML Digital Signature validation to be entirely bypassed, causing an
	unsigned document to appear signed.
	published: 2021-04-14T12:00:00Z
	cve: CVE-2020-27846
	symbols:
	- IdpAuthnRequest.Validate
	- ServiceProvider.ParseXMLResponse
	- ServiceProvider.ValidateLogoutResponseForm
	- ServiceProvider.ValidateLogoutResponseRedirect
	links:
	commit: https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053
	context:
	- https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9