CVE-2020-26290 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2020-26290 Interim 1 2 2021-12-09T02:13:41Z current 2021-09-30T01:32:57Z 2021-12-09T02:13:41Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2020-26290 Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Tumbleweed dex-oidc-2.28.1-1.3 dex-oidc-2.28.1-1.3 as a component of openSUSE Tumbleweed Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references). CVE-2020-26290 openSUSE Tumbleweed:dex-oidc-2.28.1-1.3 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H