Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-Q547-GMF8-8JR7
HistoryMay 24, 2021 - 4:57 p.m.

github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass

2021-05-2416:57:32
CWE-347
GitHub Advisory Database
github.com
33

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

50.9%

JSON

Impact

With a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one.

Patches

A patch is available, all users of goxmldsig should upgrade to v1.1.0.

For more information

If you have any questions or comments about this advisory open an issue at https://github.com/russellhaering/goxmldsig

Affected configurations

Vulners
Node
russellhaeringgoxmldsigRange<1.1.0

Related

nvd 1
nessus 2
debiancve 1
redhatcve 1
fedora 2
cvelist 1
ubuntucve 1
openvas 2
veracode 1
prion 1
cve 1
osv 9
github 1
nvd
nvd
CVE-2020-15216
2020-09-29 16:15:11
nessus
nessus
Fedora 32 : golang-github-russellhaering-goxmldsig (2021-9316ee2948)
2021-01-14 00:00:00
Fedora 33 : golang-github-russellhaering-goxmldsig (2021-a2a7673da2)
2021-01-14 00:00:00
debiancve
debiancve
CVE-2020-15216
2020-09-29 16:15:11
redhatcve
redhatcve
CVE-2020-15216
2020-10-01 06:05:42
fedora
fedora
[SECURITY] Fedora 33 Update: golang-github-russellhaering-goxmldsig-1.1.0-1.fc33
2021-01-14 01:40:24
[SECURITY] Fedora 32 Update: golang-github-russellhaering-goxmldsig-1.1.0-1.fc32
2021-01-14 01:44:09
cvelist
cvelist
CVE-2020-15216 Signature Validation Bypass in goxmldsig
2020-09-29 16:00:18
ubuntucve
ubuntucve
CVE-2020-15216
2020-09-29 00:00:00
openvas
openvas
Fedora: Security Advisory for golang-github-russellhaering-goxmldsig (FEDORA-2021-a2a7673da2)
2021-01-14 00:00:00
Fedora: Security Advisory for golang-github-russellhaering-goxmldsig (FEDORA-2021-9316ee2948)
2021-01-14 00:00:00
veracode
veracode
Signature Validation Bypass
2020-09-30 01:47:02
prion
prion
Design/Logic Flaw
2020-09-29 16:15:00
cve
cve
CVE-2020-15216
2020-09-29 16:15:11
osv
osv
XML digital signature validation bypass in github.com/russellhaering/goxmldsig
2021-04-14 20:04:52
CVE-2020-15216
2020-09-29 16:15:11
github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass
2021-05-24 16:57:32
github
github
Critical security issues in XML encoding in github.com/dexidp/dex
2021-12-20 17:53:53

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

50.9%

JSON
Related for GHSA-Q547-GMF8-8JR7
nvd1nessus2debiancve1redhatcve1fedora2cvelist1ubuntucve1openvas2veracode1prion1cve1osv9github1