Advisories for Golang/Github.com/RobotsAndPencils/Go-Saml package

RobotsAndPencils go-saml, a SAML client library written in Go, contains an authentication bypass vulnerability in all known versions. This is due to how the xmlsec1 command line tool is called internally to verify the signature of SAML assertions. When xmlsec1 is used without defining the enabled key data, the origin of the public key for the signature verification is, unfortunately, not restricted. That means an attacker can sign the SAML …

XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input.