CRITICAL🇬🇧 English

CVE-2020-26290

CVSS 9.3v3.1pub. 2020-12-28upd. 2024-11-21

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
  • Linuxfoundation Dex

    APP
    Linuxfoundation
    < 2.27.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2022-39222CRITICAL9.3ten sam produkt

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex instances with...

CVE-2020-27847CRITICAL9.8ten sam produkt

A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signatu...

CVE-2024-23656HIGH7.5ten sam produkt

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves ...

CVE-2026-53488CRITICAL9.4ten sam vendor

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 t...

CVE-2026-44477CRITICAL9.4PL ✓ten sam vendor

CloudNativePG: eskalacja uprawnień do superużytkownika PostgreSQL przez metrics exporter