github.com/fleetdm/fleet, is vulnerable to authentication bypass. The vulnerability exists due to stdlib XML parsing in the validate.go
file and valid SAML response allowing an attacker to modify the trusted document and cause unauthorized login through SAML IdP.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/fleetdm/fleet | le | 3.5.0 | |
github.com/fleetdm/fleet | le | 3.5.0 |
github.com/fleetdm/fleet/blob/master/CHANGELOG.md#fleet-351-dec-14-2020
github.com/fleetdm/fleet/commit/57812a532e5f749c8e18c6f6a652eca65c083607
github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx
github.com/mattermost/xml-roundtrip-validator
mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities