Описание
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
A flaw was found in go. Encoding and decoding of XML attributes could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on attribute integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
Отчет
All uses of xml/encoding package in OpenShift Container Platform, OpenShift Jaeger, OpenShift Service Mesh (OSSM), OpenShift Virtualization and OpenShift Container Storage do not rely on XML stability. We have assigned CVE-2020-27846 for crewjam/saml, and CVE-2020-27847 for dexidp/dex Go modules which are known to use encoding/xml in an unsafe way. As it is unlikely for there to be any fix for this issue in Go's encoding/xml library, and the library should not be relied upon for security-sensitive protocols such as SAML and XML-DSig, there is currently no plan to fix this in golang as shipped in Red Hat Enterprise Linux 7, 8, or Red Hat Developer Tools.
Меры по смягчению последствий
While there is unlikely to be any fix for this issue Go's encoding/xml library affected users can workaround the vulnerability by using Mattermost's xml-roundtrip-validator [1]. [1] https://github.com/mattermost/xml-roundtrip-validator
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel7 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-collector-rhel7 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-collector-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-rhel7-operator | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-rhel8-operator | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-operator | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Not affected | ||
| Red Hat Developer Tools | go-toolset-1.14-golang | Will not fix |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.6 Medium
CVSS3
Связанные уязвимости
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
The encoding/xml package in Go (all versions) does not correctly prese ...
Authentication Bypass in github.com/russellhaering/gosaml2
EPSS
5.6 Medium
CVSS3