CVE-2020-36563: 
vulnerability analysis and mitigation

XML Digital Signatures generated and validated using the go-saml package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input. The vulnerability was assigned CVE-2020-36563 and was published on December 27, 2022. This affects all versions of github.com/RobotsAndPencils/go-saml with no known fixed version (NVD, Go Package).

The vulnerability stems from the use of SHA-1 for generating and validating XML Digital Signatures in the package. The affected components include AuthnRequest.Validate, NewAuthnRequest, NewSignedResponse, and ServiceProviderSettings.GetAuthnRequest functions. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The use of SHA-1 for digital signatures makes the system vulnerable to hash collision attacks. An attacker with control over the input could potentially craft messages that produce the same hash value, allowing them to create forged signatures depending on their level of control over the input (NVD).

A pull request (#38) was created to address this vulnerability by switching from SHA-1 to SHA-256 for signing AuthnRequests and AuthnResponses. However, as of August 2020, the fix had not been merged, and the repository maintainers appeared to be inactive. Users are advised to consider using alternative, more actively maintained forks of the library (GitHub PR).

The security community has shown concern about the continued use of SHA-1 in the package. Snyk indicated plans to add this issue to their vulnerability database, and there were discussions about the lack of maintenance of the repository (GitHub PR).