CVE-2023-49087

2023-11-3006:15:47

Google

osv.dev

xml security

library

signature manipulation

vulnerability

hash value

cryptographic signature

patch

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.0005 Low

EPSS

Percentile

17.8%

JSON

xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. If an attacker somehow (i.e. by exploiting a bug in PHP’s canonicalization function) manages to manipulate the canonicalized version’s DigestValue, it would be possible to forge the signature. This issue has been patched in version 1.6.12 and 5.0.0-alpha.13.

CPENameOperatorVersion
xml-securityeq1.6.2
xml-securityeq1.1.0
xml-securityeq0.2.4
xml-securityeq0.3.0
xml-securityeq0.5.5
xml-securityeq1.0.3
xml-securityeq0.4.3
xml-securityeq1.6.7
xml-securityeq0.6.4
xml-securityeq0.3.2

Name	Operator	Version
xml-security	eq	1.6.2
xml-security	eq	1.1.0
xml-security	eq	0.2.4
xml-security	eq	0.3.0
xml-security	eq	0.5.5
xml-security	eq	1.0.3
xml-security	eq	0.4.3
xml-security	eq	1.6.7
xml-security	eq	0.6.4
xml-security	eq	0.3.2