CVE-2020-15216 MEDIUM

CVE-2020-15216: Signature Validation Bypass in goxmldsig

Vendor Russellhaering
Product goxmldsig
Weakness CWE-347
Published September 29, 2020
Last update August 4, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0

Key dates

02Disclosure timeline

September 29, 2020 CVE published
August 4, 2024 Record updated