gosaml2 is vulnerable to NULL Pointer Dereference from malformed XML signatures

2021-06-2317:25:08

Google

osv.dev

0.001 Low

EPSS

Percentile

51.0%

JSON

This affects all versions less than 0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on null pointer dereference caused by sending malformed XML signatures.

CPENameOperatorVersion
github.com/russellhaering/goxmldsiglt1.1.1
github.com/russellhaering/gosaml2lt0.7.0

CPE	Name	Operator	Version
	github.com/russellhaering/goxmldsig	lt	1.1.1
	github.com/russellhaering/gosaml2	lt	0.7.0

References

github.com/russellhaering/gosaml2

github.com/russellhaering/gosaml2/commit/66e3b7affd622b8b24ea1e18845f045e46b23424

github.com/russellhaering/gosaml2/issues/59

github.com/russellhaering/gosaml2/pull/90

github.com/russellhaering/gosaml2/releases/tag/v0.7.0

github.com/russellhaering/goxmldsig/issues/48

nvd.nist.gov/vuln/detail/CVE-2020-7731

snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOSAML2-608302

0.001 Low

EPSS

Percentile

51.0%

JSON

Related for OSV:GHSA-GQ5R-CC4W-G8XF