GMS-2021-100: Auth bypass in SAML provider

June 23, 2021

Impact

The following vulnerabilities have been disclosed, which impact users leveraging the SAML auth provider:

goxmldsig - Signature Validation Bypass
gosaml2 - Authentication Bypass

Patches

Patch available

Please upgrade to v1.0.0 or commit hash a2b4dd6bc4ef7562d1df044098b303f564eefa90

Workarounds

No known workarounds.

For more information

If you have any questions or comments about this advisory:

Open an issue in gotrue
Email us at security@netlify.com

References

github.com/advisories/GHSA-433w-mm6h-rv9p
github.com/netlify/gotrue/security/advisories/GHSA-433w-mm6h-rv9p

Detect and mitigate GMS-2021-100 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →