Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Validation of SignedInfo
Vulnerability Description
xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be possible to forge the signature. This issue has been patched in version 1.6.12 and 5.0.0-alpha.13.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Vulnerability Type
对数据真实性的验证不充分
Vulnerability Title
xml-security 数据伪造问题漏洞
Vulnerability Description
xml-security是SimpleSAMLphp开源的一个库。 xml-security 1.6.11版本、saml2 5.0.0-alpha.13版本存在数据伪造问题漏洞,该漏洞源于XML 签名验证需要验证相关 XML 文档的哈希值是否与特定的 DigestValue 值匹配,而且还需要验证 SignedInfo 树上的加密签名并匹配受信任的公钥, 攻击者利用该漏洞可以以某种方式操纵规范化版本的 DigestValue,并可能伪造签名。
CVSS Information
N/A
Vulnerability Type
N/A