Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBxbTYtY2d3ci14NnBm
Signature validation bypass in XmlSecLibs
Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
Permalink: https://github.com/advisories/GHSA-pqm6-cgwr-x6pfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBxbTYtY2d3ci14NnBm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: 3 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pqm6-cgwr-x6pf, CVE-2019-3465
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-3465
- https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5
- https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html
- https://seclists.org/bugtraq/2019/Nov/8
- https://simplesamlphp.org/security/201911-01
- https://www.debian.org/security/2019/dsa-4560
- https://lists.fedoraproject.org/archives/list/[email protected]/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/
- https://www.tenable.com/security/tns-2019-09
- https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml
- https://github.com/advisories/GHSA-pqm6-cgwr-x6pf
Blast Radius: 26.4
Affected Packages
packagist:robrichards/xmlseclibs
Dependent packages: 119Dependent repositories: 1,012
Downloads: 45,405,242 total
Affected Version Ranges: >= 1.0.0, < 2.1.1, >= 3.0.0, < 3.0.4
Fixed in: 2.1.1, 3.0.4
All affected versions: 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 2.0.0, 2.0.1, 2.1.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3
All unaffected versions: 2.1.1, 3.0.4, 3.1.0, 3.1.1