blob: 26b29fd1041a768df0344c81188286cb1947bb0a [file] [log] [blame]
id: GO-2021-0058
modules:
- module: github.com/crewjam/saml
versions:
- fixed: 0.4.3
vulnerable_at: 0.4.2
packages:
- package: github.com/crewjam/saml
symbols:
- IdpAuthnRequest.Validate
- ServiceProvider.ParseXMLResponse
- ServiceProvider.ValidateLogoutResponseForm
- ServiceProvider.ValidateLogoutResponseRedirect
derived_symbols:
- IdentityProvider.ServeSSO
- ServiceProvider.ParseResponse
- ServiceProvider.ValidateLogoutResponseRequest
- package: github.com/crewjam/saml/samlidp
symbols:
- getSPMetadata
derived_symbols:
- Server.HandlePutService
- package: github.com/crewjam/saml/samlsp
symbols:
- ParseMetadata
derived_symbols:
- FetchMetadata
- Middleware.ServeHTTP
- New
summary: |-
Signature validation bypass due to XML processing error in
github.com/crewjam/saml
description: |-
Due to the behavior of encoding/xml, a crafted XML document may cause XML
Digital Signature validation to be entirely bypassed, causing an unsigned
document to appear signed.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-27846
ghsas:
- GHSA-4hq8-gmxx-h6w9
references:
- fix: https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053