Published: 30/11/2023 Updated: 06/12/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be possible to forge the signature. This issue has been patched in version 1.6.12 and 5.0.0-alpha.13.

Vulnerable Product	Search on Vulmon	Subscribe to Product
simplesamlphp saml2 5.0.0
simplesamlphp xml-security 1.6.11

DescriptionA flaw was found in xml-security due to insufficient verification of data authenticity If an attacker manipulates the canonicalized version's DigestValue, the cryptographic signature on the SignedInfo tree could be forgedA flaw was found in xml-security due to insufficient verification of data authenticity If an attacker manipu ...

CWE-345 https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-ww7x-3gxh-qm6r https://github.com/simplesamlphp/xml-security/commit/f509e3083dd7870cce5880c804b5122317287581 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2023-49087

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-49087

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect