{"id":"GO-2021-0058","summary":"Signature validation bypass due to XML processing error in github.com/crewjam/saml","details":"Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.","aliases":["BIT-grafana-2020-27846","CVE-2020-27846","GHSA-4hq8-gmxx-h6w9"],"modified":"2026-03-17T04:05:37.662838Z","published":"2021-04-14T20:04:52Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2021-0058"},"references":[{"type":"FIX","url":"https://github.com/crewjam/saml/commit/da4f1a0612c0a8dd0452cf8b3c7a6518f6b4d053"}],"affected":[{"package":{"name":"github.com/crewjam/saml","ecosystem":"Go","purl":"pkg:golang/github.com/crewjam/saml"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.4.3"}]}],"ecosystem_specific":{"imports":[{"symbols":["IdentityProvider.ServeSSO","IdpAuthnRequest.Validate","ServiceProvider.ParseResponse","ServiceProvider.ParseXMLResponse","ServiceProvider.ValidateLogoutResponseForm","ServiceProvider.ValidateLogoutResponseRedirect","ServiceProvider.ValidateLogoutResponseRequest"],"path":"github.com/crewjam/saml"},{"symbols":["Server.HandlePutService","getSPMetadata"],"path":"github.com/crewjam/saml/samlidp"},{"symbols":["FetchMetadata","Middleware.ServeHTTP","New","ParseMetadata"],"path":"github.com/crewjam/saml/samlsp"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0058.json"}}],"schema_version":"1.7.5"}