You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See doc/triage.md for instructions on how to triage this report.
package: github.com/russellhaering/gosaml2
versions:
- introduced: v0.0.0
fixed: v0.5.0
description: |-
### Impact
Given a valid SAML Response, an attacker can potentially modify the document, bypassing signature validation in order to pass off the altered document as a signed one.
This enables a variety of attacks, including users accessing accounts other than the one to which they authenticated in the identity provider, or full authentication bypass if an external attacker can obtain an expired, signed SAML Response.
### Patches
A patch is available, users of gosaml2 should upgrade to v0.5.0 or higher.
### References
See the [underlying advisory on goxmldsig](https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7) for more details.
published: 2021-05-24T16:59:47Z
last_modified: 2021-10-05T17:07:11Z
ghsas:
- GHSA-5684-g483-2249
The text was updated successfully, but these errors were encountered:
In GitHub Security Advisory GHSA-5684-g483-2249, there is a vulnerability in the following Go packages or modules:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: