SB2020121425 - Improper Verification of Cryptographic Signature in gosaml2

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2020-29509)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper verification of signed XML content in SAML response processing when handling a valid SAML response containing mutated XML content. A remote attacker can modify the XML document so that the library trusts a different portion of the document than was signed to bypass authentication.

Depending on the service provider implementation, the issue may also allow access to an account other than the one authenticated at the identity provider.

Remediation

Install update from vendor's website.

References

• https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg
• https://github.com/advisories/GHSA-xhqq-x44f-9fgg