CVE-2020-29509

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Published: Dec 14, 2020
Updated: May 9, 2024
CVE: CVE-2020-29509
GHSA: GHSA-xhqq-x44f-9fgg
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.6
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-115

Affected Software
References

Software	From	Fixed in
github.com/russellhaering/gosaml2	-	0.6.0
golang / go	-	1.17

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9
https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg
https://pkg.go.dev/vuln/GO-2021-0060
https://security.netapp.com/advisory/ntap-20210129-0006/

Vulnerability Database

289,599

CVE-2020-29509