CVE-2023-34205
Signature validation bypass in github.com/moov-io/signedxml
Description
Signature validation canonicalizes the input XML document before validating the signature. Parsing the uncanonicalized and canonicalized forms can produce different results. An attacker can exploit this variation to bypass signature validation. Users of signature validation must only parse the canonicalized form of the validated document. The Validator.Validate function does not return the canonical form, and cannot be used safely. Users should only use the Validator.ValidateReferences function and only parse the canonical form which it returns. The Validator.Validate function was removed in github.com/moov-io/signedxml v1.1.0.
How to fix CVE-2023-34205
To remediate CVE-2023-34205, upgrade the affected package to a fixed version below.
- —upgrade to 1.1.0 or later
- —upgrade to 1.1.0 or later
Is CVE-2023-34205 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.1.0
- from 0, < 1.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |