CVE-2020-29509 (Medium) detected in github.com/russellhaering/gosaml2-v0.7.0 - autoclosed

[mend-bolt-for-github[bot]]

CVE-2020-29509 - Medium Severity Vulnerability

Vulnerable Library - github.com/russellhaering/gosaml2-v0.7.0

Pure Go implementation of SAML 2.0

Dependency Hierarchy: - :x: **github.com/russellhaering/gosaml2-v0.7.0** (Vulnerable Library)

Found in base branch: dev/seed-tool

Vulnerability Details

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Publish Date: 2020-12-14

URL: CVE-2020-29509

CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-29509

Release Date: 2020-12-14

Fix Resolution: v0.6.0

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.