cbcvebase.
CVE-2020-26290
published 2020-12-28

CVE-2020-26290: Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users…

PriorityP345critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.98%
57.7th percentile
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

Affected

4 ranges
VendorProductVersion rangeFixed in
dexidpdex< 2.27.02.27.0
github.comdexidp_dex>= 0 < 2.27.02.27.0
github.comrussellhaering_goxmldsig>= 0 < 1.1.01.1.0
linuxfoundationdex< 2.27.02.27.0

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.5MEDIUM
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.