PT-2021-12657 · Goxmldsig+1 · Goxmldsig+1

Steven Johnstone

Published

2021-04-14

Updated

2023-03-10

CVE-2020-7731

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: gosaml2 versions prior to 0.7.0 goxmldsig versions prior to 1.1.1

Description: The issue is caused by a nil-pointer dereference when validating malformed XML Digital Signatures, leading to a crash or panic. This can be used as a denial of service vector if user-supplied signatures are being validated. The problem occurs when an attacker supplies an invalid assertion.

Recommendations: For gosaml2 versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue. For goxmldsig versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, callers to gosaml2 can use recover() to handle panics and mitigate a potential DoS.

Fix

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

CVE-2020-7731

GHSA-GQ5R-CC4W-G8XF

GHSA-MQQV-CHPX-VQ25

GHSA-PRJQ-F4Q3-FVFR

GO-2020-0046

SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOSAML2-608302

SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOXMLDSIG-608301

Affected Products

Gosaml2

Goxmldsig

PT-2021-12657 · Goxmldsig+1 · Goxmldsig+1

CVE-2020-7731

Weakness Enumeration

Related Identifiers

Affected Products

References · 18