In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Goxmldsig | Goxmldsig_project | * | 1.1.0 (excluding) |
Golang-github-russellhaering-goxmldsig | Ubuntu | bionic | * |
Golang-github-russellhaering-goxmldsig | Ubuntu | groovy | * |
Golang-github-russellhaering-goxmldsig | Ubuntu | hirsute | * |
Golang-github-russellhaering-goxmldsig | Ubuntu | impish | * |
Golang-github-russellhaering-goxmldsig | Ubuntu | kinetic | * |
Golang-github-russellhaering-goxmldsig | Ubuntu | trusty | * |
Golang-github-russellhaering-goxmldsig | Ubuntu | upstream | * |