[CVE-2020-7731] CWE-476: NULL Pointer Dereference? #99

johakoch · 2022-11-10T09:22:41Z

https://ossindex.sonatype.org/vulnerability/CVE-2020-7731?component-type=golang&component-name=github.com%2Frussellhaering%2Fgosaml2

This affects all versions of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.

The document mentions #59 which was fixed with #90

Maybe https://ossindex.sonatype.org/vulnerability/CVE-2020-7731?component-type=golang&component-name=github.com%2Frussellhaering%2Fgosaml2 is not up-to-date.

russellhaering · 2022-11-10T23:12:39Z

You're right, but I'm not quite sure what is causing this. The Snyk report, which the CVE seems to reference, correctly notes that this was resolved in v0.7.0.

I've opened a GitHub Security Advisory reflecting the status of this - perhaps that will propagate to the CVE?

I'll keep this open for tracking.

johakoch · 2022-11-11T09:37:23Z

Maybe, you could also Report advisory or correction for ossindex.sonatype.org.

johakoch changed the title ~~[CVE-2020-7731] CWE-476: NULL Pointer Dereference~~ [CVE-2020-7731] CWE-476: NULL Pointer Dereference? Nov 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2020-7731] CWE-476: NULL Pointer Dereference? #99

[CVE-2020-7731] CWE-476: NULL Pointer Dereference? #99

johakoch commented Nov 10, 2022 •

edited

Loading

russellhaering commented Nov 10, 2022

johakoch commented Nov 11, 2022

[CVE-2020-7731] CWE-476: NULL Pointer Dereference? #99

[CVE-2020-7731] CWE-476: NULL Pointer Dereference? #99

Comments

johakoch commented Nov 10, 2022 • edited Loading

russellhaering commented Nov 10, 2022

johakoch commented Nov 11, 2022

johakoch commented Nov 10, 2022 •

edited

Loading