CVE-2020-29509: Authentication Bypass in github.com/russellhaering/gosaml2

February 11, 2022

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

References

github.com/advisories/GHSA-xhqq-x44f-9fgg
github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg
nvd.nist.gov/vuln/detail/CVE-2020-29509
security.netapp.com/advisory/ntap-20210129-0006/

Detect and mitigate CVE-2020-29509 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →