GoogleOSV:GHSA-PQM6-CGWR-X6PFSignature validation bypass in XmlSecLibs
EPSS
Percentile
61.6%
Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
References
github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml
github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5
lists.debian.org/debian-lts-announce/2019/11/msg00003.html
lists.fedoraproject.org/archives/list/[email protected]/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3
lists.fedoraproject.org/archives/list/[email protected]/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4
lists.fedoraproject.org/archives/list/[email protected]/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U
lists.fedoraproject.org/archives/list/[email protected]/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV
lists.fedoraproject.org/archives/list/[email protected]/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6
lists.fedoraproject.org/archives/list/[email protected]/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN
lists.fedoraproject.org/archives/list/[email protected]/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE
lists.fedoraproject.org/archives/list/[email protected]/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG
lists.fedoraproject.org/archives/list/[email protected]/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M
nvd.nist.gov/vuln/detail/CVE-2019-3465
seclists.org/bugtraq/2019/Nov/8
simplesamlphp.org/security/201911-01
www.debian.org/security/2019/dsa-4560
www.tenable.com/security/tns-2019-09
Related
