CVE-2020-27847
Description
A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SAML signature validation bypass in dex before 2.27.0 allows an attacker to forge authentication responses, compromising confidentiality, integrity, and availability.
Vulnerability
The vulnerability exists in the SAML connector of the github.com/dexidp/dex library, affecting versions before 2.27.0. The flaw allows an attacker to bypass SAML signature validation due to XML round-trip issues in Go's standard library encoding/xml. This enables a SAML authentication bypass [1][2][3].
Exploitation
An attacker can exploit this by crafting a SAML response that, due to XML round-trip issues, appears to have a valid signature but is interpreted differently by the XML decoder. No prior authentication is required, as the attacker sends a malicious SAML assertion directly to the service provider. The issue is triggered during SAML response processing [1][3].
Impact
Successful exploitation allows an attacker to completely bypass SAML authentication, impersonating any user. This leads to full compromise of confidentiality, integrity, and availability of the application relying on dex for authentication [2][3].
Mitigation
The vulnerability is fixed in dex version 2.27.0, released on 2020-12-17. Users should upgrade to this version or later. As of the references, no workaround is available. Users of Red Hat Advanced Cluster Management for Kubernetes 2.1 were informed that the vulnerable library is not used in production and will be removed in a future update [2][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dexidp/dexGo | < 2.27.0 | 2.27.0 |
Affected products
8- github.com/dexidp/dexdescription
- osv-coords7 versionspkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:golang/github.com/dexidp/dex
< 0+ 6 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.27.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-2x32-jm95-2cpxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-27847ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5ghsax_refsource_MISCWEB
- mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilitiesghsaWEB
- mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.