data/reports/GO-2020-0050.yaml - vulndb - Git at Google

 id: GO-2020-0050
 modules:
     - module: github.com/russellhaering/goxmldsig
       versions:
         - fixed: 1.1.0
       vulnerable_at: 0.0.0-20200902171629-2e1fbc2c5593
       packages:
         - package: github.com/russellhaering/goxmldsig
           symbols:
             - ValidationContext.findSignature
           derived_symbols:
             - ValidationContext.Validate
 summary: XML digital signature validation bypass in github.com/russellhaering/goxmldsig
 description: |-
     Due to the behavior of encoding/xml, a crafted XML document may cause XML
     Digital Signature validation to be entirely bypassed, causing an unsigned
     document to appear signed.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2020-15216
 ghsas:
     - GHSA-q547-gmf8-8jr7
 related:
     - CVE-2020-26290
     - CVE-2020-27847
     - GHSA-2x32-jm95-2cpx
     - GHSA-m9hp-7r99-94h5
 credits:
     - '@jupenur'
 references:
     - fix: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
	id: GO-2020-0050
	modules:
	- module: github.com/russellhaering/goxmldsig
	versions:
	- fixed: 1.1.0
	vulnerable_at: 0.0.0-20200902171629-2e1fbc2c5593
	packages:
	- package: github.com/russellhaering/goxmldsig
	symbols:
	- ValidationContext.findSignature
	derived_symbols:
	- ValidationContext.Validate
	summary: XML digital signature validation bypass in github.com/russellhaering/goxmldsig
	description: \|-
	Due to the behavior of encoding/xml, a crafted XML document may cause XML
	Digital Signature validation to be entirely bypassed, causing an unsigned
	document to appear signed.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2020-15216
	ghsas:
	- GHSA-q547-gmf8-8jr7
	related:
	- CVE-2020-26290
	- CVE-2020-27847
	- GHSA-2x32-jm95-2cpx
	- GHSA-m9hp-7r99-94h5
	credits:
	- '@jupenur'
	references:
	- fix: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64