CVE-2020-29509
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
| Software | From | Fixed in |
|---|---|---|
github.com/russellhaering/gosaml2
|
- | 0.6.0 |
| golang / go | - | 1.17 |
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
- https://github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9
- https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg
- https://pkg.go.dev/vuln/GO-2021-0060
- https://security.netapp.com/advisory/ntap-20210129-0006/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime