gosaml2 CBC Padding Panic — Unauthenticated Process Crash

Summary The AES-CBC decryption path in DecryptBytes panics on crafted ciphertext whose plaintext is all zero bytes. After decryption, bytes.TrimRightdata, "\x00" empties the slice, then datalendata-1 panics with index out of range -1. There is no recover in the library. The panic propagates throu...

gosaml2 安全漏洞

gosaml2 is a software application. It provides a SAML 2.0 implementation of a service provider's functionality based on etree and goxmldsig a Go implementation of pure XML digital signatures. A security vulnerability exists in gosaml2, which stems from the fact that a much larger amount of memory...

CVE-2020-7731

This affects all versions 0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures...

PT-2020-19733 · Russell Haering · Gosaml2 +1

Name of the Vulnerable Software and Affected Versions: github.com/russellhaering/goxmldsig versions prior to 1.1.1 github.com/russellhaering/gosaml2 versions prior to 0.7.0 Description: The issue is caused by a nil-pointer dereference when sending malformed XML signatures, leading to a crash. Thi...