github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass
Moderate severity
GitHub Reviewed
Published
Sep 29, 2020
in
russellhaering/goxmldsig
•
Updated Aug 29, 2023
Package
Affected versions
< 1.1.0
Patched versions
1.1.0
Description
Published by the National Vulnerability Database
Sep 29, 2020
Reviewed
May 24, 2021
Published to the GitHub Advisory Database
May 24, 2021
Last updated
Aug 29, 2023
Impact
With a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one.
Patches
A patch is available, all users of goxmldsig should upgrade to v1.1.0.
For more information
If you have any questions or comments about this advisory open an issue at https://github.com/russellhaering/goxmldsig
References