CVE-2020-26290

Name of the Vulnerable Software and Affected Versions Dex versions prior to 2.27.0

Description The issue impacts users leveraging the SAML connector and enables potential signature bypass due to issues with XML encoding in the underlying Go library. With a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. The problem arises due to the behavior of encoding/xml, where a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.

Recommendations For versions prior to 2.27.0, update to version 2.27.0 or later, which addresses the issue by using the xml-roundtrip-validator from Mattermost. Additionally, users of goxmldsig should upgrade to v1.1.0. As a temporary workaround, consider restricting the use of the SAML connector until the update is applied.