CVE-2020-26290 CRITICAL

CVE-2020-26290: Critical security issues in XML encoding in Dex

Vendor Dexidp
Product dex
Weakness CWE-347
Published December 28, 2020
Last update August 4, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

Key dates

02Disclosure timeline

December 28, 2020 CVE published
August 4, 2024 Record updated