CVE-2020-29511 — Misinterpretation of Input in Dexidp DEX
Severity
5.6MEDIUMNVD
CNA9.8GHSA6.5OSV6.5
EPSS
0.2%
top 59.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 14
Latest updateMay 24
Description
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4
Affected Packages5 packages
🔴Vulnerability Details
5GHSA▶
GHSA-g7v2-7v9m-q9j4: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips,↗2022-05-24
OSV▶
CVE-2020-29511: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips,↗2020-12-14
CVEList▶
CVE-2020-29511: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips,↗2020-12-14
📋Vendor Advisories
4Palo Alto▶
PAN-SA-2021-0001 Informational: Cortex XSOAR: Impact of Golang XML parsing vulnerabilities↗2021-01-13
Microsoft▶
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that beha↗2020-12-08
Debian▶
CVE-2020-29511: golang-1.15 - The encoding/xml package in Go (all versions) does not correctly preserve the se...↗2020