GHSA-rrfw-hg9m-j47h

Suggest an improvement
Source
https://github.com/advisories/GHSA-rrfw-hg9m-j47h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-rrfw-hg9m-j47h/GHSA-rrfw-hg9m-j47h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rrfw-hg9m-j47h
Published
2021-05-24T16:59:42Z
Modified
2021-10-08T21:25:26Z
Summary
Signature Validation Bypass
Details

Impact

An authentication bypass exists in the goxmldsig this library uses to determine if SAML assertions are genuine. An attacker could craft a SAML response that would appear to be valid but would not have been genuinely issued by the IDP.

Patches

Version 0.4.2 bumps the dependency which should fix the issue.

For more information

Please see the advisory in goxmldsig

Credits

The original vulnerability was discovered by @jupenur. Thanks to @russellhaering for the heads up.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-347"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T22:23:03Z"
}
References

Affected packages

Go / github.com/russellhaering/goxmldsig

Package

Name
github.com/russellhaering/goxmldsig
View open source insights on deps.dev
Purl
pkg:golang/github.com/russellhaering/goxmldsig

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.2

Database specific

{
    "last_known_affected_version_range": "<= 0.4.1"
}