A vulnerability exist in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. An attacker can use this flaw to bypass SAML authentication.$
External References: https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5 https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
Statement: Red Hat Advanced Cluster Management for Kubernetes 2.1 packages the dexidp/dex library in observatorium-container for use in testing. In production, this library and its functionality are not used, and can not be reached by an attacker. Thus, the severity of this vulnerability has been downgraded for this product. A future update will remove this dependency.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27847