CVE-2023-49087
CVSS 6.8 - MEDIUM
Description
xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be possible to forge the signature. This issue has been patched in version 1.6.12 and 5.0.0-alpha.13.
Affected Products
2| Vendor | Product | Version |
|---|---|---|
| simplesamlphp | saml2 |
5.0.0
|
| simplesamlphp | xml-security |
1.6.11
|
References
Weakness Types
CWE-345
CVE Information
- CVE ID:
CVE-2023-49087- Published:
- 2023-11-30
- Modified:
- 2024-11-21
- CVSS Score:
- 6.8
- Severity:
- MEDIUM
- Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Affected Vendors
simplesamlphp
Quick Actions
CVSS Severity Scale
0.0 - 3.9
LOW
4.0 - 6.9
MEDIUM
7.0 - 8.9
HIGH
9.0 - 10.0
CRITICAL