{"api_version":"1","generated_at":"2026-05-13T07:40:30+00:00","cve":"CVE-2020-27847","urls":{"html":"https://cve.report/CVE-2020-27847","api":"https://cve.report/api/cve/CVE-2020-27847.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-27847","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-27847"},"summary":{"title":"CVE-2020-27847","description":"A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-05-28 11:15:00","updated_at":"2023-11-07 03:21:00"},"problem_types":["CWE-228"],"metrics":[],"references":[{"url":"https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5","name":"https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5","refsource":"MISC","tags":[],"title":"Critical security issues in XML encoding · Advisory · dexidp/dex · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1907732","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1907732","refsource":"MISC","tags":[],"title":"1907732 – (CVE-2020-27847) CVE-2020-27847 dexidp/dex: authentication bypass in saml authentication","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/","name":"https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/","refsource":"MISC","tags":[],"title":"Coordinated disclosure of XML round-trip vulnerabilities in Go library","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-27847","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-27847","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"27847","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"dex","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-27847","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"dexidp/dex","version":{"version_data":[{"version_value":"dex 2.27.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-228->CWE-290"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/","url":"https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"},{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1907732","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1907732"},{"refsource":"MISC","name":"https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5","url":"https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"}]},"description":{"description_data":[{"lang":"eng","value":"A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0."}]}},"nvd":{"publishedDate":"2021-05-28 11:15:00","lastModifiedDate":"2023-11-07 03:21:00","problem_types":["CWE-228"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:dex:*:*:*:*:*:*:*:*","versionEndExcluding":"2.27.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"27847","Ordinal":"189583","Title":"CVE-2020-27847","CVE":"CVE-2020-27847","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"27847","Ordinal":"1","NoteData":"A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"27847","Ordinal":"2","NoteData":"2021-05-28","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"27847","Ordinal":"3","NoteData":"2021-05-28","Type":"Other","Title":"Modified"}]}}}