27 matches found
GO-2026-4753 Loop Variable Capture Signature Bypass in goxmldsig in github.com/russellhaering/goxmldsig
Loop Variable Capture Signature Bypass in goxmldsig in github.com/russellhaering/goxmldsig...
CVE-2026-33487 goxmldsig has validateSignature Loop Variable Capture Signature Bypass
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version,...
goxmldsig 安全漏洞
Goxmldsig is a digital signature library written in Go language by Russell Haering. This library inherits from SAML 2.0, allowing signature generation and verification functions to be performed without the need for command-line tools. Versions of goxmldsig prior to 1.6.0 contained security...
validateSignature Loop Variable Capture Signature Bypass in goxmldsig
Details The validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version, there is a loop variable capture issue. The code takes the address of the...
GHSA-479M-364C-43VC validateSignature Loop Variable Capture Signature Bypass in goxmldsig
Details The validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version, there is a loop variable capture issue. The code takes the address of the...
goxmldsig vulnerable to crash on nil-pointer dereference caused by sending malformed XML signatures
This affects all versions of package github.com/russellhaering/goxmldsig prior to 1.1.1. There is a crash on nil-pointer dereference caused by sending malformed XML signatures. This issue is patched in version 1.1.1...
GHSA-MQQV-CHPX-VQ25 goxmldsig vulnerable to crash on nil-pointer dereference caused by sending malformed XML signatures
This affects all versions of package github.com/russellhaering/goxmldsig prior to 1.1.1. There is a crash on nil-pointer dereference caused by sending malformed XML signatures. This issue is patched in version 1.1.1...
GHSA-5684-G483-2249 Signature Validation Bypass
Impact Given a valid SAML Response, an attacker can potentially modify the document, bypassing signature validation in order to pass off the altered document as a signed one. This enables a variety of attacks, including users accessing accounts other than the one to which they authenticated in th...
Signature Validation Bypass
Impact An authentication bypass exists in the goxmldsig this library uses to determine if SAML assertions are genuine. An attacker could craft a SAML response that would appear to be valid but would not have been genuinely issued by the IDP. Patches Version 0.4.2 bumps the dependency which should...
github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass
Impact With a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. Patches A patch is available, all users of goxmldsig should upgrade to v1.1.0. For more information If you have any questions or comments about this...
GHSA-Q547-GMF8-8JR7 github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass
Impact With a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. Patches A patch is available, all users of goxmldsig should upgrade to v1.1.0. For more information If you have any questions or comments about this...
GO-2020-0050 XML digital signature validation bypass in github.com/russellhaering/goxmldsig
Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed...
[SECURITY] Fedora 32 Update: golang-github-russellhaering-goxmldsig-1.1.0-1.fc32
Pure Go implementation of XML Digital Signatures...
CVE-2020-15216
In goxmldsig XML Digital Signatures implemented in pure Go before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision...
CVE-2020-15216
In goxmldsig XML Digital Signatures implemented in pure Go before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision...
DEBIAN-CVE-2020-15216
In goxmldsig XML Digital Signatures implemented in pure Go before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision...
CVE-2020-15216
In goxmldsig XML Digital Signatures implemented in pure Go before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision...
CVE-2020-15216
In goxmldsig XML Digital Signatures implemented in pure Go before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision...
Design/Logic Flaw
In goxmldsig XML Digital Signatures implemented in pure Go before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision...
CVE-2020-15216 Signature Validation Bypass in goxmldsig
In goxmldsig XML Digital Signatures implemented in pure Go before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision...