GHSA-ww7x-3gxh-qm6r

Source

https://github.com/advisories/GHSA-ww7x-3gxh-qm6r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-ww7x-3gxh-qm6r/GHSA-ww7x-3gxh-qm6r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ww7x-3gxh-qm6r

Aliases

CVE-2023-49087

Published

2023-11-28T18:52:19Z

Modified

2024-02-16T08:06:49.575545Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Validation of SignedInfo

Details

Validation of an XML Signature requires verification that the hash value of the related XML-document (after any optional transformations and/or normalizations) matches a specific DigestValue-value, but also that the cryptografic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key.

Within the simpleSAMLphp/xml-security library (https://github.com/simplesamlphp/xml-security), the hash is being validated using SignedElementTrait::validateReference, and the signature is being verified in SignedElementTrait::verifyInternal

https://github.com/simplesamlphp/xml-security/blob/master/src/XML/SignedElementTrait.php:

afbeelding

What stands out is that the signature is being calculated over the canonical version of the SignedInfo-tree. The validateReference method, however, uses the original non-canonicalized version of SignedInfo.

Impact

If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be potentially be possible to forge the signature. No possibilities to exploit this were found during the investigation.

Database specific

{
    "nvd_published_at": "2023-11-30T06:15:47Z",
    "cwe_ids": [
        "CWE-345"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T18:52:19Z"
}

References

Affected packages

Packagist / simplesamlphp/xml-security

Package

Name: simplesamlphp/xml-security
Purl: pkg:composer/simplesamlphp/xml-security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6.11

Fixed

1.6.12

Affected versions

1.*

1.6.11

v1.*

v1.6.11

Packagist / simplesamlphp/saml2

Package

Name: simplesamlphp/saml2
Purl: pkg:composer/simplesamlphp/saml2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-alpha.12

Fixed

5.0.0-alpha.13

Affected versions

5.*

5.0.0-alpha.12

v5.*

v5.0.0-alpha.12

Ecosystem specific

{
    "affected_functions": [
        "https://github.com/simplesamlphp/saml2/commit/d1ff458bb21f9751901033092c1d158f9fe63b0c"
    ]
}