CVE-2021-23365

MEDIUM

tyk-identity-broker < 1.1.1 - Authentication Bypass via Go XML Parser

Title source: llm

Description

The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data).

References (5)

Core 5

Core References

Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTYKTECHNOLOGIESTYKIDENTITYBROKER-1089720

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/TykTechnologies/tyk-identity-broker/releases/tag/v1.1.1

Patch, Third Party Advisory x_refsource_misc

https://github.com/TykTechnologies/tyk-identity-broker/commit/243092965b0f93a95a14cb882b5b9a3df61dd5c0

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/TykTechnologies/tyk-identity-broker/commit/46f70420e0911e4e8b638575e29d394c227c75d0

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/TykTechnologies/tyk-identity-broker/pull/147

Scores

CVSS v3 4.8

EPSS 0.0101

EPSS Percentile 58.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-287

Status published

Products (2)

tyk/tyk-identity-broker < 1.1.1

tyktechnologies/tyk-identity-broker 0 - 1.1.1Go

Published Apr 26, 2021

Tracked Since Feb 18, 2026