Vulnerability Report: GO-2023-1826

CVE-2023-34205, GHSA-jqvr-j2vg-gjrv
Affects: github.com/moov-io/signedxml
Published: Jun 09, 2023
Modified: Jun 12, 2023

Signature validation canonicalizes the input XML document before validating the signature. Parsing the uncanonicalized and canonicalized forms can produce different results. An attacker can exploit this variation to bypass signature validation. Users of signature validation must only parse the canonicalized form of the validated document. The Validator.Validate function does not return the canonical form, and cannot be used safely. Users should only use the Validator.ValidateReferences function and only parse the canonical form which it returns. The Validator.Validate function was removed in github.com/moov-io/signedxml v1.1.0.

Affected Packages

Path

Versions

Symbols
github.com/moov-io/signedxml

before v1.1.0
- Validator.Validate

Aliases

CVE-2023-34205
GHSA-jqvr-j2vg-gjrv

References

https://github.com/moov-io/signedxml/issues/23
https://vuln.go.dev/ID/GO-2023-1826.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL