7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7731

CVE-2020-7731: github.com/russellhaering/gosaml2 is vulnerable to NULL Pointer Dereference

Impact

In versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference.

Patches

The issue was patched in v0.7.0, released on March 2, 2022.

Workarounds

Callers to gosaml2 can use recover() to handle panics to mitigate a potential DoS.

References

See issue #59 for details.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-7731

CVE-2020-7731:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/russellhaering/gosaml2	go	< 0.7.0	0.7.0
github.com/russellhaering/goxmldsig	go	< 1.1.1	1.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the vulnerable code was in validateAssertionSignatures' callback function where unverifiedAssertion.Parent() was accessed without nil-check. The patch added a parent == nil guard clause to prevent dereferencing. The CWE-476 classification and crash reports confirm this pattern matches NULL Pointer Dereference vulnerabilities. The added test TestMalFormedInput specifically validates this fix by triggering the parent nil scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-7731: github.com/russellhaering/gosaml2 is vulnerable to NULL Pointer Dereference

Impact

Patches

Workarounds

References

CVE-2020-7731:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2020-7731: github.com/russellhaering/gosaml2 is vulnerable to NULL Pointer Dereference

Impact

Patches

Workarounds

References

Basic Information

Basic Information

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI