GMS-2021-103: Signature Validation Bypass

May 24, 2021 (updated October 5, 2021)

Impact

Given a valid SAML Response, an attacker can potentially modify the document, bypassing signature validation in order to pass off the altered document as a signed one.

This enables a variety of attacks, including users accessing accounts other than the one to which they authenticated in the identity provider, or full authentication bypass if an external attacker can obtain an expired, signed SAML Response.

Patches

A patch is available, users of gosaml2 should upgrade to v0.5.0 or higher.

References

See the underlying advisory on goxmldsig for more details.

References

github.com/advisories/GHSA-5684-g483-2249
github.com/russellhaering/gosaml2/security/advisories/GHSA-5684-g483-2249

Detect and mitigate GMS-2021-103 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →