Lucene search

Veracode Vulnerability DatabaseVERACODE:46722

HistoryMay 02, 2024 - 10:31 a.m.

Signature Verification Bypass

2024-05-0210:31:45

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml documents

signature verification

vulnerability

authorization checks

certificates

manipulation

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

9.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

xml-crypto is vulnerable to Signature Verification Bypass. The vulnerability is due to inadequate authorization checks for signed certificates, which allows an attacker to manipulate XML documents with falsified signatures or certificates which can bypass the library’s default validation mechanisms.

CPENameOperatorVersion
xml-cryptole5.1.1
xml-cryptole5.1.1

CPE	Name	Operator	Version
	xml-crypto	le	5.1.1
	xml-crypto	le	5.1.1

References

github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000

github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca

github.com/node-saml/xml-crypto/pull/301

github.com/node-saml/xml-crypto/pull/445

github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v

www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

9.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

Related for VERACODE:46722