| id: GO-2020-0050 |
| modules: |
| - module: github.com/russellhaering/goxmldsig |
| versions: |
| - fixed: 1.1.0 |
| vulnerable_at: 0.0.0-20200902171629-2e1fbc2c5593 |
| packages: |
| - package: github.com/russellhaering/goxmldsig |
| symbols: |
| - ValidationContext.findSignature |
| derived_symbols: |
| - ValidationContext.Validate |
| summary: XML digital signature validation bypass in github.com/russellhaering/goxmldsig |
| description: |- |
| Due to the behavior of encoding/xml, a crafted XML document may cause XML |
| Digital Signature validation to be entirely bypassed, causing an unsigned |
| document to appear signed. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2020-15216 |
| ghsas: |
| - GHSA-q547-gmf8-8jr7 |
| related: |
| - CVE-2020-26290 |
| - CVE-2020-27847 |
| - GHSA-2x32-jm95-2cpx |
| - GHSA-m9hp-7r99-94h5 |
| credits: |
| - '@jupenur' |
| references: |
| - fix: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64 |
| review_status: REVIEWED |