Vulnerability Report: GO-2020-0046

CVE-2020-7711, CVE-2020-7731, and 3 more
Affects: github.com/russellhaering/goxmldsig, github.com/russellhaering/gosaml2
Published: Apr 14, 2021
Modified: May 20, 2024

Due to a nil pointer dereference, a malformed XML Digital Signature can cause a panic during validation. If user supplied signatures are being validated, this may be used as a denial of service vector.

Affected Packages

Path

Go Versions

Symbols
github.com/russellhaering/goxmldsig

before v1.1.1
- ValidationContext.Validate
github.com/russellhaering/gosaml2

before v0.7.0

Aliases

CVE-2020-7711
CVE-2020-7731
GHSA-gq5r-cc4w-g8xf
GHSA-mqqv-chpx-vq25
GHSA-prjq-f4q3-fvfr

References

https://github.com/russellhaering/goxmldsig/issues/48
https://github.com/russellhaering/gosaml2/issues/59
https://vuln.go.dev/ID/GO-2020-0046.json

Credits

@stevenjohnstone

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL