CVE-2020-15216

In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/463.html
• https://cwe.mitre.org/data/definitions/475.html

References

• https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
• https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUH33FPUXED3FHYL25BJOQPRKFGPOMS2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZECBFD4M4PHBMBOCMSQ537NOU37QOVWP/
• https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview
• https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
• https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUH33FPUXED3FHYL25BJOQPRKFGPOMS2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZECBFD4M4PHBMBOCMSQ537NOU37QOVWP/
• https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview