CVE-2020-36563

Published: Dec 28, 2022Modified: Apr 11, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input.

Affected (1)

Products: Robotsandpencils: Go Saml

Robotsandpencils

1 product

Go Saml

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Robotsandpencils Go Saml	All versions

Related CWEs

CWE-347

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://github.com/RobotsAndPencils/go-saml/pull/38

Source: security@golang.org

PatchThird Party Advisory

https://pkg.go.dev/vuln/GO-2020-0047

Source: security@golang.org

PatchVendor Advisory

https://github.com/RobotsAndPencils/go-saml/pull/38

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://pkg.go.dev/vuln/GO-2020-0047

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.