{"containers": {"cna": {"affected": [{"product": "goxmldsig", "vendor": "russellhaering", "versions": [{"status": "affected", "version": "< 1.1.0"}]}], "descriptions": [{"lang": "en", "value": "In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-14T03:06:28", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"}, {"tags": ["x_refsource_MISC"], "url": "https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview"}, {"name": "FEDORA-2021-a2a7673da2", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZECBFD4M4PHBMBOCMSQ537NOU37QOVWP/"}, {"name": "FEDORA-2021-9316ee2948", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUH33FPUXED3FHYL25BJOQPRKFGPOMS2/"}], "source": {"advisory": "GHSA-q547-gmf8-8jr7", "discovery": "UNKNOWN"}, "title": "Signature Validation Bypass in goxmldsig", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15216", "STATE": "PUBLIC", "TITLE": "Signature Validation Bypass in goxmldsig"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "goxmldsig", "version": {"version_data": [{"version_value": "< 1.1.0"}]}}]}, "vendor_name": "russellhaering"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0"}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-347 Improper Verification of Cryptographic Signature"}]}]}, "references": {"reference_data": [{"name": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7", "refsource": "CONFIRM", "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"}, {"name": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64", "refsource": "MISC", "url": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"}, {"name": "https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview", "refsource": "MISC", "url": "https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview"}, {"name": "FEDORA-2021-a2a7673da2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZECBFD4M4PHBMBOCMSQ537NOU37QOVWP/"}, {"name": "FEDORA-2021-9316ee2948", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUH33FPUXED3FHYL25BJOQPRKFGPOMS2/"}]}, "source": {"advisory": "GHSA-q547-gmf8-8jr7", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:22.878Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview"}, {"name": "FEDORA-2021-a2a7673da2", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZECBFD4M4PHBMBOCMSQ537NOU37QOVWP/"}, {"name": "FEDORA-2021-9316ee2948", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUH33FPUXED3FHYL25BJOQPRKFGPOMS2/"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15216", "datePublished": "2020-09-29T16:00:18", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:22.878Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goxmldsig_project:goxmldsig:*:*:*:*:*:*:*:*", "matchCriteriaId": "0340F676-0F93-4DF1-8613-6A5539961649", "versionEndExcluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0"}, {"lang": "es", "value": "En goxmldsig (firmas digitales XML implementadas en Pure Go), versiones anteriores a 1.1.0, con un archivo XML cuidadosamente dise\u00f1ado, un atacante puede omitir por completo una comprobaci\u00f3n de firmas y dejar pasar un archivo alterado como uno firmado. Un parche est\u00e1 disponible, todos los usuarios de goxmldsig deben actualizar al menos a la revisi\u00f3n f6188febf0c29d7ffe26a0436212b19cb9615e64 o versi\u00f3n 1.1.0"}], "id": "CVE-2020-15216", "lastModified": "2023-11-07T03:17:27.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-09-29T16:15:11.023", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUH33FPUXED3FHYL25BJOQPRKFGPOMS2/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZECBFD4M4PHBMBOCMSQ537NOU37QOVWP/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "goxmldsig: carefully crafted XML file could allow to bypass signature validation", "id": "1884118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1884118"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-347", "details": ["In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0"], "name": "CVE-2020-15216", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-09-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15216\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15216\nhttps://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"], "statement": "Whilst the OpenShift Container Platform (OCP) and OpenShift Service Mesh (OSSM) grafana container does include goxmldsig, it is only included as part of the SAML implementation. SAML is only available in the enterprise version of Grafana (https://grafana.com/docs/grafana/latest/auth/saml/). Hence the openshift4/ose-grafana and servicemesh-grafana containers have been marked as wont-fix and may be addressed in a future update.", "threat_severity": "Moderate", "upstream_fix": "goxmldsig 1.1.0"}