Lucene search
PRIOn knowledge basePRION:CVE-2023-49087HistoryNov 30, 2023 - 6:15 a.m.
Code injection
2023-11-3006:15:00
PRIOn knowledge base
www.prio-n.com
xml signatures
encryption
validation
hash value
cryptographic signature
manipulation
canonicalization function
bug
patch
xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. If an attacker somehow (i.e. by exploiting a bug in PHP’s canonicalization function) manages to manipulate the canonicalized version’s DigestValue, it would be possible to forge the signature. This issue has been patched in version 1.6.12 and 5.0.0-alpha.13.
| CPE | Name | Operator | Version |
|---|---|---|---|
| saml2 | eq | 5.0.0 alpha12 | |
| xml-security | eq | 1.6.11 |
Related
nvd
nvd
CVE-2023-49087
2023-11-30 06:15:47
redhatcve
redhatcve
CVE-2023-49087
2023-11-30 10:26:14
cvelist
cvelist
CVE-2023-49087 Validation of SignedInfo
2023-11-30 05:20:28
github
github
Validation of SignedInfo
2023-11-28 18:52:19
osv
osv
CVE-2023-49087
2023-11-30 06:15:47
Validation of SignedInfo
2023-11-28 18:52:19
cve
cve
CVE-2023-49087
2023-11-30 06:15:47
veracode
veracode
Improper Signature Validation
2023-11-29 12:57:59