blob: 984305180a9babd968c5f465dc8e12639ebdf93c [file] [log] [blame]
id: GO-2020-0046
modules:
- module: github.com/russellhaering/goxmldsig
versions:
- fixed: 1.1.1
vulnerable_at: 1.1.0
packages:
- package: github.com/russellhaering/goxmldsig
symbols:
- ValidationContext.validateSignature
derived_symbols:
- ValidationContext.Validate
- module: github.com/russellhaering/gosaml2
versions:
- fixed: 0.7.0
vulnerable_at: 0.6.0
packages:
- package: github.com/russellhaering/gosaml2
symbols:
- SAMLServiceProvider.validateAssertionSignatures
derived_symbols:
- SAMLServiceProvider.RetrieveAssertionInfo
- SAMLServiceProvider.ValidateEncodedLogoutRequestPOST
- SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
- SAMLServiceProvider.ValidateEncodedResponse
summary: |-
Panic due to malformed XML digital signature in
github.com/russellhaering/goxmldsig
description: |-
Due to a nil pointer dereference, a malformed XML Digital Signature can cause a
panic during validation. If user supplied signatures are being validated, this
may be used as a denial of service vector.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-7711
- CVE-2020-7731
ghsas:
- GHSA-gq5r-cc4w-g8xf
- GHSA-mqqv-chpx-vq25
- GHSA-prjq-f4q3-fvfr
credits:
- '@stevenjohnstone'
references:
- web: https://github.com/russellhaering/goxmldsig/issues/48
- web: https://github.com/russellhaering/gosaml2/issues/59
review_status: REVIEWED