CVE-2019-3465 – robrichards/xmlseclibs

Package

Manager: composer
Name: robrichards/xmlseclibs
Vulnerable Version: >=3.0.0 <3.0.4 || >=1.0.0 <2.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03054 pctl0.86179

Details

Signature validation bypass in XmlSecLibs Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.

Metadata

Created: 2019-11-08T20:06:46Z
Modified: 2021-08-18T22:14:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-pqm6-cgwr-x6pf/GHSA-pqm6-cgwr-x6pf.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-pqm6-cgwr-x6pf
Finding: F204
Auto approve: 1