CVE Vulnerabilities

CVE-2020-15216

Improper Verification of Cryptographic Signature

Published: Sep 29, 2020 | Modified: Nov 07, 2023
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM

In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

Name Vendor Start Version End Version
Goxmldsig Goxmldsig_project * 1.1.0 (excluding)
Golang-github-russellhaering-goxmldsig Ubuntu bionic *
Golang-github-russellhaering-goxmldsig Ubuntu groovy *
Golang-github-russellhaering-goxmldsig Ubuntu hirsute *
Golang-github-russellhaering-goxmldsig Ubuntu impish *
Golang-github-russellhaering-goxmldsig Ubuntu kinetic *
Golang-github-russellhaering-goxmldsig Ubuntu trusty *
Golang-github-russellhaering-goxmldsig Ubuntu upstream *

References