{ "schema_version": "1.3.1", "id": "GO-2021-0058", "modified": "0001-01-01T00:00:00Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2020-27846", "GHSA-4hq8-gmxx-h6w9" ], "summary": "Signature validation bypass due to XML processing error in github.com/crewjam/saml", "details": "Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.", "affected": [ { "package": { "name": "github.com/crewjam/saml", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.4.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/crewjam/saml", "symbols": [ "IdentityProvider.ServeSSO", "IdpAuthnRequest.Validate", "ServiceProvider.ParseResponse", "ServiceProvider.ParseXMLResponse", "ServiceProvider.ValidateLogoutResponseForm", "ServiceProvider.ValidateLogoutResponseRedirect", "ServiceProvider.ValidateLogoutResponseRequest" ] }, { "path": "github.com/crewjam/saml/samlidp", "symbols": [ "Server.HandlePutService", "getSPMetadata" ] }, { "path": "github.com/crewjam/saml/samlsp", "symbols": [ "FetchMetadata", "Middleware.ServeHTTP", "New", "ParseMetadata" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0058", "review_status": "REVIEWED" } }