CyberSec.Space Logo
CVEブラウザに戻る

CVE-2020-26276

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0890%
EPSS Percentile5.13th
Published2020年12月17日
Last Modified2024年11月21日

Vulnerability Description

Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. This issue is patched in 3.5.1. The fix was made using https://github.com/mattermost/xml-roundtrip-validator If upgrade to 3.5.1 is not possible, users should disable SSO authentication in Fleet.

Affected Platforms (CPE)

📦
Fleetdm

Fleet

< 3.5.1

References & Advisories

🔗 https://github.com/fleetdm/fleet/blob/master/CHANGELOG.md#fleet-351-dec-14-2020
🔗 https://github.com/fleetdm/fleet/commit/57812a532e5f749c8e18c6f6a652eca65c083607
🔗 https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx
🔗 https://github.com/mattermost/xml-roundtrip-validator
🔗 https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities
🔗 https://github.com/fleetdm/fleet/blob/master/CHANGELOG.md#fleet-351-dec-14-2020
🔗 https://github.com/fleetdm/fleet/commit/57812a532e5f749c8e18c6f6a652eca65c083607
🔗 https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx

関連する脆弱性情報

CVE-2023-50479.8

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DRD Fleet Leasing DRDrive al...

CVE-2020-102699.8

One of the wireless interfaces within MiR100, MiR200 and possibly (according to the vendor) other MiR fleet vehicles comes pre-con...

CVE-2020-102709.8

Out of the wired and wireless interfaces within MiR100, MiR200 and other vehicles from the MiR fleet, it's possible to access the ...

CVE-2026-105579.8

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices...