---

CVE-2020-29509 - log back

CVE-2020-29509 edited at 04 Apr 2021 10:41:15
Remote	- Local + Remote

CVE-2020-29509 edited at 04 Apr 2021 10:41:06
References	https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md https://github.com/mattermost/xml-roundtrip-validator + https://github.com/golang/go/issues/43168 + https://go-review.googlesource.com/c/go/+/277892 + https://github.com/golang/go/commit/4d014e723165f28b34458edb4aa9136e0fb4c702

CVE-2020-29509 edited at 14 Dec 2020 20:10:12
Notes	+ Workaround + ========== + + The github.com/mattermost/xml-roundtrip-validator module can detect unstable constructs in an XML document, including unstable attribute namespace prefixes. Invoking the validator on all untrusted markup and failing early if it returns an error can prevent these types of issue from being exploited in an otherwise affected application.

CVE-2020-29509 edited at 14 Dec 2020 20:07:50
Severity	- Unknown + Medium
Remote	- Unknown + Local
Type	- Unknown + Incorrect calculation
Description	+ Go's encoding/xml handles namespace prefixes on XML attributes in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and xml.Encoder implementations. Encoding and decoding using Go's encoding/xml can change the observed namespace as well as the observed local name of a maliciously crafted XML attribute. + + Affected applications include software that relies on XML integrity for security-sensitive decisions. Prominent examples of such applications include SAML and XML-DSig implementations.
References	+ https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md + https://github.com/mattermost/xml-roundtrip-validator
Notes

CVE-2020-29509 created at 14 Dec 2020 20:05:03