CVE-2020-26290

Name
CVE-2020-26290
Description
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
Not Applicable https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
Not Applicable https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
Not Applicable https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
Third Party Advisory https://github.com/dexidp/dex/releases/tag/v2.27.0
Patch https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
Not Applicable https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
Not Applicable https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:linuxfoundation:dex:*:*:*:*:*:*:*:* dex >= None < 2.27.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
dex edge-community 0.10.1-r0 Anjandev Momi <anjan@momi.ca> possibly vulnerable
dex 3.23-community 0.10.1-r0 Anjandev Momi <anjan@momi.ca> possibly vulnerable
dex 3.22-community 0.10.1-r0 Anjandev Momi <anjan@momi.ca> possibly vulnerable