CVE-2020-29511
published 2020-12-14CVE-2020-29511: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which…
PriorityP432medium5.6CVSS 3.1
AVNACHPRNUINSUCLILAL
EPSS
1.94%
77.7th percentile
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| github.com | dexidp_dex | >= 0 < 2.27.0 | 2.27.0 |
| github.com | russellhaering_goxmldsig | >= 0 < 1.1.0 | 1.1.0 |
| golang | go | < 1.17 | 1.17 |
| golang | go | — | — |
| msrc | cbl2_golang_1.20.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_golang_1.17.13-2_on_cbl_mariner_1.0 | — | — |
| paloalto | cortex_xsoar | — | — |
CVSS provenance
nvdv3.15.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_msrc5.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
vendor_paloalto·2021-01-13·CVSS 5.6
CVE-2020-29509 [MEDIUM] PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities
The Palo Alto Networks Product Security Assurance team evaluated the vulnerabilities (CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511) that impact the standard Golang XML parsing library. All versions of Cortex XSOAR use a version of Golang that contains these vulnerabilities but there are no scenarios for successful
CVEs: CVE-2020-29509, CVE-2020-29510, CVE-2020-29511
Affected products: Cortex XSOAR
Red Hat
go: encoding/xml: XML element instability
vendor_redhat·2020-12-14·CVSS 9.8
CVE-2020-29511 [CRITICAL] CWE-115 go: encoding/xml: XML element instability
go: encoding/xml: XML element instability
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
A flaw was found in go. Encoding and decoding of XML elements could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on element integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
Statement: All uses of xml/encoding package in OpenShift Container Platform, OpenShift Jaeger, OpenShift Service Mesh (OSSM), OpenShift Virtualiza
Microsoft
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that beha
vendor_msrc·2020-12-08·CVSS 5.6
CVE-2020-29511 [CRITICAL] CWE-115 The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that beha
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this b
Debian
CVE-2020-29511: golang-1.15 - The encoding/xml package in Go (all versions) does not correctly preserve the se...
vendor_debian·2020·CVSS 9.8
CVE-2020-29511 [CRITICAL] CVE-2020-29511: golang-1.15 - The encoding/xml package in Go (all versions) does not correctly preserve the se...
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Scope: local
bullseye: open
GHSA
GHSA-g7v2-7v9m-q9j4: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips,
ghsa_unreviewed·2022-05-24
CVE-2020-29511 [CRITICAL] CWE-115 GHSA-g7v2-7v9m-q9j4: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips,
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
GHSA
Critical security issues in XML encoding in github.com/dexidp/dex
ghsa·2021-12-20·CVSS 6.5
CVE-2020-26290 [MEDIUM] CWE-347 Critical security issues in XML encoding in github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
### Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
`encoding/xml` instabilities:
- [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)
- [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)
- [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-dir
OSV
Critical security issues in XML encoding in github.com/dexidp/dex
osv·2021-12-20·CVSS 6.5
CVE-2020-26290 [MEDIUM] Critical security issues in XML encoding in github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
### Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
`encoding/xml` instabilities:
- [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)
- [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)
- [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-dir
OSV
CVE-2020-29511: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips,
osv·2020-12-14·CVSS 5.6
CVE-2020-29511 [MEDIUM] CVE-2020-29511: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips,
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.mdhttps://security.netapp.com/advisory/ntap-20210129-0006/https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.mdhttps://security.netapp.com/advisory/ntap-20210129-0006/
2020-12-14
Published