xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Developer Hub (RHDH) 1.4 | RedHat | registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:577bd1595325229ba368ad2ece71faf31aec93c088e76c4bba507bf67e41753a | * |
| Red Hat Developer Hub (RHDH) 1.5 | RedHat | registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:56bfbb2328f42e91d0462e142f3434e5d771737defbc07d8a21dbdf50e468665 | * |