Improper Verification of Cryptographic Signature in gosaml2 - CVE-2020-29509

 

Improper Verification of Cryptographic Signature in gosaml2 - CVE-2020-29509

Published: December 14, 2020 / Updated: April 28, 2026


Vulnerability identifier: #VU128387
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-29509
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Russell Haering
Affected software:
gosaml2

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper verification of signed XML content in SAML response processing when handling a valid SAML response containing mutated XML content. A remote attacker can modify the XML document so that the library trusts a different portion of the document than was signed to bypass authentication.

Depending on the service provider implementation, the issue may also allow access to an account other than the one authenticated at the identity provider.


How to mitigate CVE-2020-29509

Install security update from vendor's website.

Sources