What is CVE-2020-26290?

CVE-2020-26290 is a critical-severity vulnerability in Dexidp Dex, classified under Improper Verification of Cryptographic Signature. CVSS score: 9.3/10. Published 2020-12-28.

How severe is CVE-2020-26290?

Critical severity. CVSS v3 base score is 9.3 out of 10.

Vulnerability in Dexidp Dex

CVE-2020-26290

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due…

EPSS: 0.005 (66.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.3 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.

Affected products

Dexidp Dex — versions < 2.27.0

Weakness classification (CWE)

CWE-347 — Improper Verification of Cryptographic Signature

References

github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-d… (x_refsource_MISC)
github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-e… (x_refsource_MISC)
github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-a… (x_refsource_MISC)
mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ (x_refsource_MISC)
github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5 (x_refsource_CONFIRM)
github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 (x_refsource_MISC)
github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8 (x_refsource_MISC)
github.com/dexidp/dex/releases/tag/v2.27.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-26290?: CVE-2020-26290 is a critical-severity vulnerability in Dexidp Dex, classified under Improper Verification of Cryptographic Signature. CVSS score: 9.3/10. Published 2020-12-28.
How severe is CVE-2020-26290?: Critical severity. CVSS v3 base score is 9.3 out of 10.