GHSA-m9hp-7r99-94h5

Source

https://github.com/advisories/GHSA-m9hp-7r99-94h5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m9hp-7r99-94h5/GHSA-m9hp-7r99-94h5.json

Aliases

• CVE-2020-15216
• CVE-2020-26290
• CVE-2020-27847
• GHSA-2x32-jm95-2cpx
• GHSA-q547-gmf8-8jr7
• GO-2020-0050
• GO-2021-0056
• GO-2022-0409

Related

• GO-2020-0050

Published

2021-12-20T17:53:53Z

Modified

2023-11-10T21:41:30.893968Z

Details

Impact

The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:

Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7

encoding/xml instabilities: - Element namespace prefix instability (CVE-2020-29511) - Attribute namespace prefix instability (CVE-2020-29509) - Directive comment instability (CVE-2020-29510)

Patches

Immediately update to Dex v2.27.0.

Workarounds

There are no known workarounds.

References

• https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
• https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
• https://nvd.nist.gov/vuln/detail/CVE-2020-26290
• https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
• https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
• https://github.com/dexidp/dex/releases/tag/v2.27.0
• https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
• https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
• https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md
• https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities
• https://pkg.go.dev/vuln/GO-2020-0050