Github.Com Russellhaering Goxmldsig vulnerabilities

CVE-2026-33487 [HIGH] CWE-347 validateSignature Loop Variable Capture Signature Bypass in goxmldsig validateSignature Loop Variable Capture Signature Bypass in goxmldsig ### Details The `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref`

CVE-2020-7731 [HIGH] CWE-476 github.com/russellhaering/gosaml2 is vulnerable to NULL Pointer Dereference github.com/russellhaering/gosaml2 is vulnerable to NULL Pointer Dereference ### Impact In versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference. ### Patches The issue was patched in v0.7.0, released on March 2, 2022. ### Workarounds Callers to `gosaml2` can use `recover()` to handle panics to mit

CVE-2020-26290 [MEDIUM] CWE-347 Critical security issues in XML encoding in github.com/dexidp/dex Critical security issues in XML encoding in github.com/dexidp/dex ### Impact The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector: Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 `encoding/xml` instabilities: - [Element namespace prefix instability (CVE-2020-29511)](ht

CVE-2020-15216 [MEDIUM] CWE-347 github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass ### Impact With a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. ### Patches A patch is available, all users of goxmldsig should upgrade to v1.1.0. ### For more information If you have any questions or comments about this advis

CVE-2020-7711 [HIGH] CWE-476 CVE-2020-7711: This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-po This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.