Steven Johnstone

Name of the Vulnerable Software and Affected Versions: gosaml2 versions prior to 0.7.0 goxmldsig versions prior to 1.1.1 Description: The issue is caused by a nil-pointer dereference when validating malformed XML Digital Signatures, leading to a crash or panic. This can be used as a denial of service vector if user-supplied signatures are being validated. The problem occurs when an attacker supplies an invalid assertion. Recommendations: For gosaml2 versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue. For goxmldsig versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, callers to `gosaml2` can use `recover()` to handle panics and mitigate a potential DoS.

**Name of the Vulnerable Software and Affected Versions** github.com/russellhaering/goxmldsig versions prior to 1.1.1 github.com/russellhaering/gosaml2 versions prior to 0.7.0 **Description** The issue is caused by a nil-pointer dereference when sending malformed XML signatures, leading to a crash. This can be used as a denial of service vector if user-supplied signatures are being validated. The problem occurs when an attacker supplies an invalid assertion, triggering a panic. **Recommendations** For github.com/russellhaering/goxmldsig versions prior to 1.1.1, update to version 1.1.1 to resolve the issue. For github.com/russellhaering/gosaml2 versions prior to 0.7.0, update to version 0.7.0 to resolve the issue. As a temporary workaround for github.com/russellhaering/gosaml2, callers can use `recover()` to handle panics and mitigate the potential denial of service vector.