This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.
External References: https://github.com/russellhaering/goxmldsig/issues/48
Created golang-github-russellhaering-goxmldsig tracking bugs for this issue: Affects: fedora-all [bug 1871692]
Statement: Whilst the OpenShift Container Platform (OCP) and OpenShift Service Mesh (OSSM) grafana container does include goxmldsig, it is only included as part of the SAML implementation. SAML is only available in the enterprise version of Grafana (https://grafana.com/docs/grafana/latest/auth/saml/). Hence the openshift4/ose-grafana and servicemesh-grafana containers have been marked as wont-fix and may be addressed in a future update.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7711