Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBxbTYtY2d3ci14NnBm
Signature validation bypass in XmlSecLibs
Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
Permalink: https://github.com/advisories/GHSA-pqm6-cgwr-x6pfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBxbTYtY2d3ci14NnBm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 5 years ago
Updated: 11 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00297
EPSS Percentile: 0.68968
Identifiers: GHSA-pqm6-cgwr-x6pf, CVE-2019-3465
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-3465
- https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5
- https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html
- https://seclists.org/bugtraq/2019/Nov/8
- https://simplesamlphp.org/security/201911-01
- https://www.debian.org/security/2019/dsa-4560
- https://lists.fedoraproject.org/archives/list/[email protected]/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/
- https://www.tenable.com/security/tns-2019-09
- https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml
- https://github.com/advisories/GHSA-pqm6-cgwr-x6pf
Blast Radius: 26.4
Affected Packages
packagist:robrichards/xmlseclibs
Dependent packages: 120Dependent repositories: 1,012
Downloads: 55,898,362 total
Affected Version Ranges: >= 1.0.0, < 2.1.1, >= 3.0.0, < 3.0.4
Fixed in: 2.1.1, 3.0.4
All affected versions: 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 2.0.0, 2.0.1, 2.1.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3
All unaffected versions: 2.1.1, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3