Skip to content

Critical security issues in XML encoding in github.com/dexidp/dex

Critical severity GitHub Reviewed Published Dec 14, 2020 in dexidp/dex • Updated Oct 2, 2023

Package

gomod github.com/dexidp/dex (Go)

Affected versions

< 2.27.0

Patched versions

2.27.0
gomod github.com/russellhaering/goxmldsig (Go)
< 1.1.0
1.1.0

Description

Impact

The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:

Signature Validation Bypass (CVE-2020-15216): GHSA-q547-gmf8-8jr7

encoding/xml instabilities:

Patches

Immediately update to Dex v2.27.0.

Workarounds

There are no known workarounds.

References

@justaugustus justaugustus published to dexidp/dex Dec 14, 2020
Reviewed May 21, 2021
Published to the GitHub Advisory Database Dec 20, 2021
Last updated Oct 2, 2023

Severity

Critical
9.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Weaknesses

CVE ID

CVE-2020-26290

GHSA ID

GHSA-m9hp-7r99-94h5

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.