CVE-2020-15216
Signature Validation Bypass in goxmldsig
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0
En goxmldsig (firmas digitales XML implementadas en Pure Go), versiones anteriores a 1.1.0, con un archivo XML cuidadosamente diseñado, un atacante puede omitir por completo una comprobación de firmas y dejar pasar un archivo alterado como uno firmado. Un parche está disponible, todos los usuarios de goxmldsig deben actualizar al menos a la revisión f6188febf0c29d7ffe26a0436212b19cb9615e64 o versión 1.1.0
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-09-29 CVE Published
- 2024-08-03 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-347: Improper Verification of Cryptographic Signature
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 | Third Party Advisory | |
| https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Goxmldsig Project Search vendor "Goxmldsig Project" | Goxmldsig Search vendor "Goxmldsig Project" for product "Goxmldsig" | < 1.1.0 Search vendor "Goxmldsig Project" for product "Goxmldsig" and version " < 1.1.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||