Advisories for Golang/Github.com/Russellhaering/Goxmldsig package

This affects all versions <0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.

This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.

This affects all versions less than 0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on null pointer dereference caused by sending malformed XML signatures.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-prjq-f4q3-fvfr. This link is maintained to preserve external references. Original Description This affects all versions less than 0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on null pointer dereference caused by sending malformed XML signatures.

An authentication bypass exists in the goxmldsig this library uses to determine if SAML assertions are genuine. An attacker could craft a SAML response that would appear to be valid but would not have been genuinely issued by the IDP.

In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0