CVE-2020-26276

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 3.5.1

Description The issue arises from problems in Go's standard library XML parsing, allowing an attacker to mutate a valid SAML response and modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue.

Recommendations For versions prior to 3.5.1, upgrade to version 3.5.1 to resolve the issue. If upgrade to 3.5.1 is not possible, disable SSO authentication in Fleet as a temporary workaround.