Goxmldsig
Monthly
XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. EPSS score of 0.02% suggests low observed exploitation probability, with no confirmed active exploitation (not in CISA KEV). Vendor patch available in version 1.6.0.
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
This affects all versions of package github.com/russellhaering/goxmldsig. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. EPSS score of 0.02% suggests low observed exploitation probability, with no confirmed active exploitation (not in CISA KEV). Vendor patch available in version 1.6.0.
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
This affects all versions of package github.com/russellhaering/goxmldsig. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.