Vulnerability Details : CVE-2020-27847
A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.
Products affected by CVE-2020-27847
- cpe:2.3:a:linuxfoundation:dex:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-27847
0.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-27847
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-27847
-
The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Assigned by: secalert@redhat.com (Primary)
-
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Assigned by: secalert@redhat.com (Primary)
References for CVE-2020-27847
-
https://bugzilla.redhat.com/show_bug.cgi?id=1907732
Issue Tracking;Third Party Advisory
-
https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
Critical security issues in XML encoding · Advisory · dexidp/dex · GitHubPatch;Third Party Advisory
-
https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
Coordinated disclosure of XML round-trip vulnerabilities in Go libraryVendor Advisory
Jump to