Critical severityNVD Advisory· Published Dec 14, 2020· Updated Sep 17, 2024
CVE-2020-29509
CVE-2020-29509
Description
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/russellhaering/gosaml2Go | < 0.6.0 | 0.6.0 |
Affected products
19- osv-coords18 versionspkg:apk/chainguard/go-1.19pkg:apk/chainguard/go-1.19-docpkg:apk/chainguard/go-1.20pkg:apk/chainguard/go-1.20-docpkg:apk/chainguard/go-1.21pkg:apk/chainguard/go-1.21-docpkg:apk/chainguard/go-fips-1.20pkg:apk/chainguard/go-fips-1.20-docpkg:apk/wolfi/go-1.19pkg:apk/wolfi/go-1.19-docpkg:apk/wolfi/go-1.20pkg:apk/wolfi/go-1.20-docpkg:apk/wolfi/go-1.21pkg:apk/wolfi/go-1.21-docpkg:apk/wolfi/go-fips-1.20pkg:apk/wolfi/go-fips-1.20-docpkg:bitnami/golangpkg:golang/github.com/russellhaering/gosaml2
< 0+ 17 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.17.0
- (no CPE)range: < 0.6.0
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-xhqq-x44f-9fggghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-29509ghsaADVISORY
- github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.mdghsax_refsource_MISCWEB
- github.com/russellhaering/gosaml2/commit/42606dafba60c58c458f14f75c4c230459672ab9ghsaWEB
- github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fggghsaWEB
- pkg.go.dev/vuln/GO-2021-0060ghsaWEB
- security.netapp.com/advisory/ntap-20210129-0006ghsaWEB
- security.netapp.com/advisory/ntap-20210129-0006/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.