{"schema_version":"1.3.1","id":"GO-2021-0058","modified":"2024-05-20T16:03:47Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-27846","GHSA-4hq8-gmxx-h6w9"],"summary":"Signature validation bypass due to XML processing error in github.com/crewjam/saml","details":"Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.","affected":[{"package":{"name":"github.com/crewjam/saml","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.4.3"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/crewjam/saml","symbols":["IdentityProvider.ServeSSO","IdpAuthnRequest.Validate","ServiceProvider.ParseResponse","ServiceProvider.ParseXMLResponse","ServiceProvider.ValidateLogoutResponseForm","ServiceProvider.ValidateLogoutResponseRedirect","ServiceProvider.ValidateLogoutResponseRequest"]},{"path":"github.com/crewjam/saml/samlidp","symbols":["Server.HandlePutService","getSPMetadata"]},{"path":"github.com/crewjam/saml/samlsp","symbols":["FetchMetadata","Middleware.ServeHTTP","New","ParseMetadata"]}]}}],"references":[{"type":"FIX","url":"https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0058","review_status":"REVIEWED"}}