QwikSec

Security Database

CVE

CWE

Training

CVE-2020-26290

Published: Dec 28, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

9.3

CRITICAL

Description

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

Vendor	Product	Versions
dexidp	dex	affected `< 2.27.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md

x_refsource_MISC

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md

x_refsource_MISC

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md

x_refsource_MISC

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

x_refsource_MISC

https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5

x_refsource_CONFIRM

https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7

x_refsource_MISC

https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8

x_refsource_MISC

https://github.com/dexidp/dex/releases/tag/v2.27.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.