CRITICAL 9.3 Go
Critical security issues in XML encoding in github.com/dexidp/dex
GHSA-m9hp-7r99-94h5 · CVE-2020-26290
Published · Modified
Description
Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
encoding/xml instabilities:
- Element namespace prefix instability (CVE-2020-29511)
- Attribute namespace prefix instability (CVE-2020-29509)
- Directive comment instability (CVE-2020-29510)
Patches
Immediately update to Dex v2.27.0.
Workarounds
There are no known workarounds.
References
- WEB https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
- WEB https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-26290
- WEB https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
- WEB https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
- WEB https://github.com/dexidp/dex/releases/tag/v2.27.0
- WEB https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
- WEB https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
- WEB https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md
- WEB https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities
- WEB https://pkg.go.dev/vuln/GO-2020-0050
Ready to move
Start Securing
Free, no credit card | First findings in minutes