Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2020-29509

Опубликовано: 14 дек. 2020
Источник: debian
EPSS Низкий

Описание

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
golang-github-russellhaering-gosaml2itppackage
golang-1.15unfixedpackage
golang-1.11removedpackage
golang-1.8removedpackage
golang-1.7removedpackage

Примечания

  • Golang upstream does not consider the issue to be fixable in Go, instead

  • shifts responsibility to saml packages.

  • https://github.com/golang/go/issues/43168

  • https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

  • https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg

EPSS

Процентиль: 41%
0.00187
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2020-29509

CVSS3: 9.8
ubuntu
около 5 лет назад

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

redhat логотип

CVE-2020-29509

CVSS3: 5.6
redhat
около 5 лет назад

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

nvd логотип

CVE-2020-29509

CVSS3: 9.8
nvd
около 5 лет назад

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

msrc логотип

CVE-2020-29509

CVSS3: 5.6
msrc
около 4 лет назад

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

github логотип

GHSA-xhqq-x44f-9fgg

CVSS3: 9.8
github
почти 4 года назад

Authentication Bypass in github.com/russellhaering/gosaml2

EPSS

Процентиль: 41%
0.00187
Низкий