GO-2023-1826

See a problem?
Source
https://pkg.go.dev/vuln/GO-2023-1826
Import Source
https://vuln.go.dev/ID/GO-2023-1826.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-1826
Aliases
Published
2023-06-09T15:42:52Z
Modified
2024-05-20T16:03:47Z
Summary
Signature validation bypass in github.com/moov-io/signedxml
Details

Signature validation canonicalizes the input XML document before validating the signature. Parsing the uncanonicalized and canonicalized forms can produce different results. An attacker can exploit this variation to bypass signature validation.

Users of signature validation must only parse the canonicalized form of the validated document. The Validator.Validate function does not return the canonical form, and cannot be used safely. Users should only use the Validator.ValidateReferences function and only parse the canonical form which it returns.

The Validator.Validate function was removed in github.com/moov-io/signedxml v1.1.0.

References

Affected packages

Go / github.com/moov-io/signedxml

Package

Name
github.com/moov-io/signedxml
View open source insights on deps.dev
Purl
pkg:golang/github.com/moov-io/signedxml

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/moov-io/signedxml",
            "symbols": [
                "Validator.Validate"
            ]
        }
    ]
}