CVE-2020-29509
published 2020-12-14CVE-2020-29509: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which…
PriorityP432medium5.6CVSS 3.1
AVNACHPRNUINSUCLILAL
EPSS
2.08%
79.2th percentile
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| github.com | dexidp_dex | >= 0 < 2.27.0 | 2.27.0 |
| github.com | russellhaering_gosaml2 | >= 0 < 0.6.0 | 0.6.0 |
| github.com | russellhaering_goxmldsig | >= 0 < 1.1.0 | 1.1.0 |
| golang | go | < 1.17 | 1.17 |
| golang | go | — | — |
| msrc | cbl2_golang_1.20.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_golang_1.17.13-2_on_cbl_mariner_1.0 | — | — |
| paloalto | cortex_xsoar | — | — |
CVSS provenance
nvdv3.15.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_msrc5.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Authentication Bypass in github.com/russellhaering/gosaml2
ghsa·2022-02-11
CVE-2020-29509 [CRITICAL] CWE-115 Authentication Bypass in github.com/russellhaering/gosaml2
Authentication Bypass in github.com/russellhaering/gosaml2
### Impact
Given a valid SAML Response, it may be possible for an attacker to mutate the XML document in such a way that gosaml2 will trust a different portion of the document than was signed.
Depending on the implementation of the Service Provider this enables a variety of attacks, including users accessing accounts other than the one to which they authenticated in the Identity Provider, or full authentication bypass.
### Patches
Service Providers utilizing gosaml2 should upgrade to v0.6.0 or greater.
OSV
Authentication Bypass in github.com/russellhaering/gosaml2
osv·2022-02-11
CVE-2020-29509 [CRITICAL] Authentication Bypass in github.com/russellhaering/gosaml2
Authentication Bypass in github.com/russellhaering/gosaml2
### Impact
Given a valid SAML Response, it may be possible for an attacker to mutate the XML document in such a way that gosaml2 will trust a different portion of the document than was signed.
Depending on the implementation of the Service Provider this enables a variety of attacks, including users accessing accounts other than the one to which they authenticated in the Identity Provider, or full authentication bypass.
### Patches
Service Providers utilizing gosaml2 should upgrade to v0.6.0 or greater.
GHSA
Critical security issues in XML encoding in github.com/dexidp/dex
ghsa·2021-12-20·CVSS 6.5
CVE-2020-26290 [MEDIUM] CWE-347 Critical security issues in XML encoding in github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
### Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
`encoding/xml` instabilities:
- [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)
- [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)
- [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-dir
OSV
Critical security issues in XML encoding in github.com/dexidp/dex
osv·2021-12-20·CVSS 6.5
CVE-2020-26290 [MEDIUM] Critical security issues in XML encoding in github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
### Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
`encoding/xml` instabilities:
- [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)
- [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)
- [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-dir
OSV
Authentication bypass in github.com/russellhaering/gosaml2
osv·2021-04-14
CVE-2020-29509 Authentication bypass in github.com/russellhaering/gosaml2
Authentication bypass in github.com/russellhaering/gosaml2
Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.
OSV
CVE-2020-29509: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trip
osv·2020-12-14·CVSS 5.6
CVE-2020-29509 [MEDIUM] CVE-2020-29509: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trip
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Palo Alto
PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
vendor_paloalto·2021-01-13·CVSS 5.6
CVE-2020-29509 [MEDIUM] PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
The Palo Alto Networks Product Security Assurance team evaluated the vulnerabilities (CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511) that impact the standard Golang XML parsing library. All versions of Cortex XSOAR use a version of Golang that contains these vulnerabilities but there are no scenarios for successful
CVEs: CVE-2020-29509, CVE-2020-29510, CVE-2020-29511
Affected products: Cortex XSOAR
Red Hat
go: encoding/xml: XML attribute instability
vendor_redhat·2020-12-14·CVSS 9.8
CVE-2020-29509 [CRITICAL] CWE-115 go: encoding/xml: XML attribute instability
go: encoding/xml: XML attribute instability
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
A flaw was found in go. Encoding and decoding of XML attributes could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on attribute integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
Statement: All uses of xml/encoding package in OpenShift Container Platform, OpenShift Jaeger, OpenShift Service Mesh (OSSM), OpenShift Vi
Microsoft
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that be
vendor_msrc·2020-12-08·CVSS 5.6
CVE-2020-29509 [CRITICAL] CWE-115 The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that be
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this
Debian
CVE-2020-29509: golang-1.15 - The encoding/xml package in Go (all versions) does not correctly preserve the se...
vendor_debian·2020·CVSS 9.8
CVE-2020-29509 [CRITICAL] CVE-2020-29509: golang-1.15 - The encoding/xml package in Go (all versions) does not correctly preserve the se...
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.mdhttps://security.netapp.com/advisory/ntap-20210129-0006/https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.mdhttps://security.netapp.com/advisory/ntap-20210129-0006/
2020-12-14
Published