CVE-2020-7711

Name of the Vulnerable Software and Affected Versions github.com/russellhaering/goxmldsig versions prior to 1.1.1 github.com/russellhaering/gosaml2 versions prior to 0.7.0

Description The issue is caused by a nil-pointer dereference when sending malformed XML signatures, leading to a crash. This can be used as a denial of service vector if user-supplied signatures are being validated. The problem occurs when an attacker supplies an invalid assertion, triggering a panic.

Recommendations For github.com/russellhaering/goxmldsig versions prior to 1.1.1, update to version 1.1.1 to resolve the issue. For github.com/russellhaering/gosaml2 versions prior to 0.7.0, update to version 0.7.0 to resolve the issue. As a temporary workaround for github.com/russellhaering/gosaml2, callers can use recover() to handle panics and mitigate the potential denial of service vector.