CVE-2023-49087

xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be possible to forge the signature. This issue has been patched in version 1.6.12 and 5.0.0-alpha.13.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/simplesamlphp/xml-security/commit/f509e3083dd7870cce5880c804b5122317287581	Patch
https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-ww7x-3gxh-qm6r	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:simplesamlphp:saml2:5.0.0:alpha12::::::
	cpe:2.3:a:simplesamlphp:xml-security:1.6.11:::::::*

History

06 Dec 2023, 17:49

Type	Values Removed	Values Added
References	~~() https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-ww7x-3gxh-qm6r -~~	() https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-ww7x-3gxh-qm6r - Exploit, Vendor Advisory
References	~~() https://github.com/simplesamlphp/xml-security/commit/f509e3083dd7870cce5880c804b5122317287581 -~~	() https://github.com/simplesamlphp/xml-security/commit/f509e3083dd7870cce5880c804b5122317287581 - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:simplesamlphp:saml2:5.0.0:alpha12:::::: cpe:2.3:a:simplesamlphp:xml-security:1.6.11:::::::*

30 Nov 2023, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-30 06:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-49087

Mitre link : CVE-2023-49087

CVE.ORG link : CVE-2023-49087

JSON object : View

Products Affected

simplesamlphp

xml-security
saml2

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2023-49087", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.2}]}, "published": "2023-11-30T06:15:47.173", "references": [{"url": "https://github.com/simplesamlphp/xml-security/commit/f509e3083dd7870cce5880c804b5122317287581", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-ww7x-3gxh-qm6r", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be possible to forge the signature. This issue has been patched in version 1.6.12 and 5.0.0-alpha.13."}, {"lang": "es", "value": "xml-security es una librer\u00eda que implementa cifrado y firmas XML. La validaci\u00f3n de una firma XML requiere verificar que el valor hash del documento XML relacionado coincida con un valor DigestValue espec\u00edfico, pero tambi\u00e9n que la firma criptogr\u00e1fica en el \u00e1rbol SignedInfo (el que contiene el DigestValue) verifique y coincida con una clave p\u00fablica confiable. Si un atacante de alguna manera (es decir, explotando un error en la funci\u00f3n de canonicalizaci\u00f3n de PHP) logra manipular el DigestValue de la versi\u00f3n canonicalizada, ser\u00eda posible falsificar la firma. Este problema se solucion\u00f3 en las versiones 1.6.12 y 5.0.0-alpha.13."}], "lastModified": "2023-12-06T17:49:44.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:simplesamlphp:saml2:5.0.0:alpha12:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96D08664-7238-4C52-B40E-F32E304DE2D3"}, {"criteria": "cpe:2.3:a:simplesamlphp:xml-security:1.6.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F1375D1-EBBE-4AD5-8271-457C64C948BD"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}