Описание
Signature validation bypass in github.com/moov-io/signedxml
In Moov signedxml through 1.0.0, parsing the raw XML (as received) can result in different output than parsing the canonicalized XML. Thus, signature validation can be bypassed via a Signature Wrapping attack (aka XSW).
Пакеты
Наименование
github.com/moov-io/signedxml
go
Затронутые версииВерсия исправления
< 1.1.0
1.1.0
Связанные уязвимости
CVSS3: 9.1
nvd
больше 2 лет назад
In Moov signedxml through 1.0.0, parsing the raw XML (as received) can result in different output than parsing the canonicalized XML. Thus, signature validation can be bypassed via a Signature Wrapping attack (aka XSW).