GO-2023-1826

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-1826

Import Source

https://vuln.go.dev/ID/GO-2023-1826.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1826

Aliases

Published

2023-06-09T15:42:52Z

Modified

2024-05-20T16:03:47Z

Summary

Signature validation bypass in github.com/moov-io/signedxml

Details

Signature validation canonicalizes the input XML document before validating the signature. Parsing the uncanonicalized and canonicalized forms can produce different results. An attacker can exploit this variation to bypass signature validation.

Users of signature validation must only parse the canonicalized form of the validated document. The Validator.Validate function does not return the canonical form, and cannot be used safely. Users should only use the Validator.ValidateReferences function and only parse the canonical form which it returns.

The Validator.Validate function was removed in github.com/moov-io/signedxml v1.1.0.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2023-1826",
    "review_status": "REVIEWED"
}

References

https://github.com/moov-io/signedxml/issues/23

Affected packages

Go / github.com/moov-io/signedxml

Package

Name: github.com/moov-io/signedxml; View open source insights on deps.dev
Purl: pkg:golang/github.com/moov-io/signedxml

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.0

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "Validator.Validate"
            ],
            "path": "github.com/moov-io/signedxml"
        }
    ]
}