CVE-2020-29509Misinterpretation of Input in Russellhaering Gosaml2

CWE-115Misinterpretation of InputCWE-347Improper Verification of Cryptographic Signature11 documents8 sources
Severity
5.6MEDIUMNVD
CNA9.8GHSA5.3
EPSS
0.2%
top 59.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Russellhaering Gosaml2Golang GOPaloalto Cortex Xsoar
Timeline
PublishedDec 14
Latest updateFeb 11

Description

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages4 packages

NVDgolang/go< 1.17
CVEListV5golang/goAll versions

🔴Vulnerability Details

6
GHSA
Authentication Bypass in github.com/russellhaering/gosaml22022-02-11
OSV
Authentication Bypass in github.com/russellhaering/gosaml22022-02-11
GHSA
Critical security issues in XML encoding in github.com/dexidp/dex2021-12-20
OSV
Authentication bypass in github.com/russellhaering/gosaml22021-04-14
CVEList
CVE-2020-29509: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trip2020-12-14

📋Vendor Advisories

4
Palo Alto
PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities2021-01-13
Red Hat
go: encoding/xml: XML attribute instability2020-12-14
Microsoft
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that be2020-12-08
Debian
CVE-2020-29509: golang-1.15 - The encoding/xml package in Go (all versions) does not correctly preserve the se...2020
CVE-2020-29509 — Misinterpretation of Input | cvebase