CVE-2020-26290
CRITICALDex < 2.27.0 - Cryptographic Signature Verification Bypass via XML Encoding Issue
Title source: llmDescription
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).
References (8)
Core 8
Core References
Not Applicable, Third Party Advisory x_refsource_misc
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
Not Applicable, Third Party Advisory x_refsource_misc
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md
Not Applicable, Third Party Advisory x_refsource_misc
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
Not Applicable, Third Party Advisory x_refsource_misc
https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
Third Party Advisory x_refsource_confirm
https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
Not Applicable, Third Party Advisory x_refsource_misc
https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
Patch, Third Party Advisory x_refsource_misc
https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
Third Party Advisory x_refsource_misc
https://github.com/dexidp/dex/releases/tag/v2.27.0
Scores
CVSS v3
9.3
EPSS
0.0050
EPSS Percentile
66.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-347
Status
published
Products (3)
dexidp/dex
0 - 2.27.0Go
linuxfoundation/dex
< 2.27.0
russellhaering/goxmldsig
0 - 1.1.0Go
Published
Dec 28, 2020
Tracked Since
Feb 18, 2026