blob: 23b404bc73f34bc0cc37ec5c9b922a19bf6a4655 [file] [log] [blame]
id: GO-2021-0060
modules:
- module: github.com/russellhaering/gosaml2
versions:
- fixed: 0.6.0
vulnerable_at: 0.5.0
packages:
- package: github.com/russellhaering/gosaml2
symbols:
- parseResponse
derived_symbols:
- SAMLServiceProvider.RetrieveAssertionInfo
- SAMLServiceProvider.ValidateEncodedLogoutRequestPOST
- SAMLServiceProvider.ValidateEncodedLogoutResponsePOST
- SAMLServiceProvider.ValidateEncodedResponse
summary: Authentication bypass in github.com/russellhaering/gosaml2
description: |-
Due to the behavior of encoding/xml, a crafted XML document may cause XML
Digital Signature validation to be entirely bypassed, causing an unsigned
document to appear signed.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-29509
ghsas:
- GHSA-xhqq-x44f-9fgg
credits:
- Juho Nurminen
references:
- fix: https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9
review_status: REVIEWED