CVE-2020-26290

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26290

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26290.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-26290

Aliases

GHSA-m9hp-7r99-94h5

Related

Published

2020-12-28T20:15:12Z

Modified

2025-07-01T23:53:53.321224Z

Downstream

openSUSE-SU-2024:10714-1

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

References

Affected packages

Git / github.com/dexidp/dex

Affected ranges

Type: GIT
Repo: https://github.com/dexidp/dex
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0f9e2888ab65c5b18c4881eaeeb7e38d997e1d92

Fixed

324b1c886b407594196113a3dbddebe38eecd4e8

Affected versions

api/v2.*

api/v2.0.0

v2.*

v2.0.0

v2.0.0-alpha.1

v2.0.0-alpha.2

v2.0.0-alpha.3

v2.0.0-alpha.4

v2.0.0-alpha.5

v2.0.0-beta.1

v2.0.0-beta.2

v2.0.0-beta.3

v2.0.1

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.2.3

v2.20.0

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v2.7.1

v2.8.0

v2.9.0