Security News > 2020 > December > Critical Golang XML parser bugs can cause SAML authentication bypass

Critical Golang XML parser bugs can cause SAML authentication bypass
2020-12-14 20:23

This week, Mattermost, in coordination with Golang has disclosed 3 critical vulnerabilities within Go language's XML parser.

The XML round-trip vulnerabilities listed below lurk in Golang's XML language parser encoding/xml which doesn't return reliable results when encoding and decoding XML input.

Various SAML implementations, relying on the said XML parser can be tricked by attackers to bypass SAML authentication altogether.

Security Assertion Markup Language is a web authentication standard used by multiple, prominent websites and services to facilitate easier online sign-in that uses XML. "Because of these vulnerabilities, Go-based SAML implementations are in many cases open to tampering by an attacker: by injecting malicious markup to a correctly signed SAML message, it's possible to make it still appear correctly signed, but change its semantics to convey a different identity than the original document," warned Mattermost.

Should a mission-critical application be using the XML parser, the impact within an SAML SSO system can be privilege escalation or authentication bypass, depending on how the application is using the vulnerable XML parser.


News URL

https://www.bleepingcomputer.com/news/security/critical-golang-xml-parser-bugs-can-cause-saml-authentication-bypass/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Golang 13 1 36 91 16 144