CVE-2020-26290
published 2020-12-28CVE-2020-26290: Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users…
PriorityP345critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.98%
57.7th percentile
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dexidp | dex | < 2.27.0 | 2.27.0 |
| github.com | dexidp_dex | >= 0 < 2.27.0 | 2.27.0 |
| github.com | russellhaering_goxmldsig | >= 0 < 1.1.0 | 1.1.0 |
| linuxfoundation | dex | < 2.27.0 | 2.27.0 |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.5MEDIUM
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Critical security issues in XML encoding in github.com/dexidp/dex
ghsa·2021-12-20·CVSS 6.5
CVE-2020-26290 [MEDIUM] CWE-347 Critical security issues in XML encoding in github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
### Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
`encoding/xml` instabilities:
- [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)
- [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)
- [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-dir
OSV
Critical security issues in XML encoding in github.com/dexidp/dex
osv·2021-12-20·CVSS 6.5
CVE-2020-26290 [MEDIUM] Critical security issues in XML encoding in github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
### Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
`encoding/xml` instabilities:
- [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)
- [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)
- [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-dir
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8https://github.com/dexidp/dex/releases/tag/v2.27.0https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.mdhttps://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.mdhttps://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.mdhttps://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8https://github.com/dexidp/dex/releases/tag/v2.27.0https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.mdhttps://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.mdhttps://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.mdhttps://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
2020-12-28
Published