CVE-2020-29509

Name of the Vulnerable Software and Affected Versions encoding/xml package in Go (all versions)

Description The issue allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. This can cause XML Digital Signature validation to be entirely bypassed, making an unsigned document appear signed. Given a valid SAML Response, it may be possible for an attacker to mutate the XML document, enabling attacks such as users accessing accounts other than the one to which they authenticated or full authentication bypass.

Recommendations For the encoding/xml package in Go, upgrade to a version that includes the necessary fixes, such as gosaml2 version 0.6.0 or greater, if applicable to your specific use case. As a temporary workaround, consider restricting the processing of XML documents to minimize the risk of exploitation.