blob: 97c1e70d30df84e738970343cef980b92a76760f [file] [log] [blame]
id: GO-2020-0050
modules:
- module: github.com/russellhaering/goxmldsig
versions:
- fixed: 1.1.0
vulnerable_at: 0.0.0-20200902171629-2e1fbc2c5593
packages:
- package: github.com/russellhaering/goxmldsig
symbols:
- ValidationContext.findSignature
derived_symbols:
- ValidationContext.Validate
summary: XML digital signature validation bypass in github.com/russellhaering/goxmldsig
description: |-
Due to the behavior of encoding/xml, a crafted XML document may cause XML
Digital Signature validation to be entirely bypassed, causing an unsigned
document to appear signed.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-15216
ghsas:
- GHSA-q547-gmf8-8jr7
related:
- CVE-2020-26290
- CVE-2020-27847
- GHSA-2x32-jm95-2cpx
- GHSA-m9hp-7r99-94h5
credits:
- '@jupenur'
references:
- fix: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
review_status: REVIEWED