CVE-2020-27847 — Improper Handling of Syntactically Invalid Structure in Dexidp DEX

CWE-228 — Improper Handling of Syntactically Invalid Structure CWE-290 — Authentication Bypass by Spoofing5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 41.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Dexidp DEX Linuxfoundation DEX Dexidp DEX

Timeline

PublishedMay 28

Latest updateDec 20

Description

A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Gogithub.com/dexidp_dex< 2.27.0

▶CVEListV5dexidp/dexdex 2.27.0

▶NVDlinuxfoundation/dex< 2.27.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Authentication Bypass in dex↗2021-12-20

▶

OSV

Authentication Bypass in dex↗2021-12-20

▶

CVEList

CVE-2020-27847: A vulnerability exists in the SAML connector of the github↗2021-05-28

▶

📋Vendor Advisories

Red Hat

dexidp/dex: authentication bypass in saml authentication↗2020-12-15

▶