In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0
Created golang-github-russellhaering-goxmldsig tracking bugs for this issue: Affects: fedora-all [bug 1884119]
Statement: Whilst the OpenShift Container Platform (OCP) and OpenShift Service Mesh (OSSM) grafana container does include goxmldsig, it is only included as part of the SAML implementation. SAML is only available in the enterprise version of Grafana (https://grafana.com/docs/grafana/latest/auth/saml/). Hence the openshift4/ose-grafana and servicemesh-grafana containers have been marked as wont-fix and may be addressed in a future update.
External References: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15216
Upstream fix: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64