Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW05aHAtN3I5OS05NGg1

Critical EPSS: 0.005% (0.64516 Percentile) EPSS:
Permalink JSON

Critical security issues in XML encoding in github.com/dexidp/dex

Affected Packages Affected Versions Fixed Versions
go:github.com/russellhaering/goxmldsig
PURL: pkg:go/github.com%2Frussellhaering%2Fgoxmldsig
< 1.1.0 1.1.0
466 Dependent packages
1,514 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

v1.1.0, v1.1.1, v1.2.0, v1.3.0, v1.4.0, v1.5.0
go:github.com/dexidp/dex
PURL: pkg:go/github.com%2Fdexidp%2Fdex
< 2.27.0 2.27.0
49 Dependent packages
67 Dependent repositories

Affected Version Ranges

All affected versions

v0.1.0, v0.2.0, v0.2.1, v0.2.2, v0.2.3, v0.3.0, v0.4.0, v0.5.0, v0.5.1, v0.6.0, v0.6.1, v2.0.0+incompatible, v2.0.0-alpha.1+incompatible, v2.0.0-alpha.2+incompatible, v2.0.0-alpha.3+incompatible, v2.0.0-alpha.4+incompatible, v2.0.0-alpha.5+incompatible, v2.0.0-beta.1+incompatible, v2.0.0-beta.2+incompatible, v2.0.0-beta.3+incompatible, v2.0.1+incompatible, v2.0.2+incompatible, v2.1.0+incompatible, v2.2.0+incompatible, v2.2.1+incompatible, v2.2.2+incompatible, v2.2.3+incompatible, v2.2.4+incompatible, v2.2.5+incompatible, v2.3.0+incompatible, v2.3.1+incompatible, v2.4.0+incompatible, v2.4.1+incompatible, v2.5.0+incompatible, v2.6.0+incompatible, v2.6.1+incompatible, v2.7.0+incompatible, v2.7.1+incompatible, v2.8.0+incompatible, v2.8.1+incompatible, v2.9.0+incompatible, v2.10.0+incompatible, v2.11.0+incompatible, v2.12.0+incompatible, v2.13.0+incompatible

All unaffected versions

Impact

The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:

Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7

encoding/xml instabilities:

Patches

Immediately update to Dex v2.27.0.

Workarounds

There are no known workarounds.

References:

Identifiers

GHSA-m9hp-7r99-94h5

CVE-2020-26290

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.005

EPSS Percentile: 0.64516

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/dexidp/dex

Date and time

Published

almost 4 years ago

Updated

about 2 years ago

API

JSON