Go modules package
github.com/russellhaering/goxmldsig
pkg:golang/github.com/russellhaering/goxmldsig
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33487 | Hig | 7.5 | < 1.6.0 | 1.6.0 | Mar 26, 2026 | goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo | |
| CVE-2020-7731 | — | < 1.1.1 | 1.1.1 | Apr 30, 2021 | This affects all versions <0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures. | ||
| CVE-2020-26290 | — | < 1.1.0 | 1.1.0 | Dec 28, 2020 | Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the under | ||
| CVE-2020-15216 | — | < 1.1.0 | 1.1.0 | Sep 29, 2020 | In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade t | ||
| CVE-2020-7711 | — | < 1.1.1 | 1.1.1 | Aug 23, 2020 | This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures. |
- affected < 1.6.0fixed 1.6.0
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo
- CVE-2020-7731Apr 30, 2021affected < 1.1.1fixed 1.1.1
This affects all versions <0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.
- CVE-2020-26290Dec 28, 2020affected < 1.1.0fixed 1.1.0
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the under
- CVE-2020-15216Sep 29, 2020affected < 1.1.0fixed 1.1.0
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade t
- CVE-2020-7711Aug 23, 2020affected < 1.1.1fixed 1.1.1
This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.