CVE-2020-29510
published 2020-12-14CVE-2020-29510: The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows…
PriorityP434medium5.6CVSS 3.1
AVNACHPRNUINSUCLILAL
EPSS
2.05%
78.8th percentile
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| github.com | dexidp_dex | >= 0 < 2.27.0 | 2.27.0 |
| github.com | russellhaering_goxmldsig | >= 0 < 1.1.0 | 1.1.0 |
| golang | go | <= 1.15 | — |
| golang | go | unspecified – 1.15 | — |
| paloalto | cortex_xsoar | — | — |
CVSS provenance
nvdv3.15.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
vendor_paloalto·2021-01-13·CVSS 5.6
CVE-2020-29509 [MEDIUM] PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
The Palo Alto Networks Product Security Assurance team evaluated the vulnerabilities (CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511) that impact the standard Golang XML parsing library. All versions of Cortex XSOAR use a version of Golang that contains these vulnerabilities but there are no scenarios for successful
CVEs: CVE-2020-29509, CVE-2020-29510, CVE-2020-29511
Affected products: Cortex XSOAR
Red Hat
go: encoding/xml: XML directives instability
vendor_redhat·2020-12-14·CVSS 9.8
CVE-2020-29510 [CRITICAL] CWE-115 go: encoding/xml: XML directives instability
go: encoding/xml: XML directives instability
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
A flaw was found in go. Encoding and decoding of XML directives could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on directive integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
Statement: All uses of xml/encoding package in OpenShift Container Platform, OpenShift Jaeger, OpenShift Service Mesh (OSSM), OpenShift Virtuali
Debian
CVE-2020-29510: golang-1.15 - The encoding/xml package in Go versions 1.15 and earlier does not correctly pres...
vendor_debian·2020·CVSS 9.8
CVE-2020-29510 [CRITICAL] CVE-2020-29510: golang-1.15 - The encoding/xml package in Go versions 1.15 and earlier does not correctly pres...
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Scope: local
bullseye: open
GHSA
GHSA-p6mv-vmpw-j23r: The encoding/xml package in Go versions 1
ghsa_unreviewed·2022-05-24
CVE-2020-29510 [CRITICAL] GHSA-p6mv-vmpw-j23r: The encoding/xml package in Go versions 1
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
GHSA
Critical security issues in XML encoding in github.com/dexidp/dex
ghsa·2021-12-20·CVSS 6.5
CVE-2020-26290 [MEDIUM] CWE-347 Critical security issues in XML encoding in github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
### Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
`encoding/xml` instabilities:
- [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)
- [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)
- [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-dir
OSV
Critical security issues in XML encoding in github.com/dexidp/dex
osv·2021-12-20·CVSS 6.5
CVE-2020-26290 [MEDIUM] Critical security issues in XML encoding in github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
### Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
`encoding/xml` instabilities:
- [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)
- [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)
- [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-dir
OSV
CVE-2020-29510: The encoding/xml package in Go versions 1
osv·2020-12-14·CVSS 5.6
CVE-2020-29510 [MEDIUM] CVE-2020-29510: The encoding/xml package in Go versions 1
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.mdhttps://security.netapp.com/advisory/ntap-20210129-0006/https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.mdhttps://security.netapp.com/advisory/ntap-20210129-0006/
2020-12-14
Published