GHSA-5684-g483-2249: 
vulnerability analysis and mitigation

A critical signature validation bypass vulnerability was identified in the gosaml2 Go package (GHSA-5684-g483-2249). The vulnerability affects versions prior to 0.5.0 of github.com/russellhaering/gosaml2 and was published on September 29, 2020. This security flaw allows potential modification of SAML Response documents while bypassing signature validation (GitHub Advisory).

The vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature) and has been assigned a Critical severity rating. The technical issue lies in the signature validation mechanism of SAML responses, where the system fails to properly verify cryptographic signatures of modified documents (GitHub Advisory).

The vulnerability enables attackers to modify valid SAML Response documents while bypassing signature validation checks. This can lead to two significant attack scenarios: 1) users gaining unauthorized access to accounts other than their authenticated ones in the identity provider, and 2) complete authentication bypass if an attacker obtains an expired, signed SAML Response (GitHub Advisory).

A patch has been released to address this vulnerability. Users of gosaml2 are strongly advised to upgrade to version 0.5.0 or higher to mitigate the risk (GitHub Advisory).