CVE-2024-32962 (GCVE-0-2024-32962)
Vulnerability from cvelistv5
Published
2024-05-02 06:48
Modified
2025-02-13 17:52
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Summary
xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification.
References
security-advisories@github.comhttps://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000
security-advisories@github.comhttps://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca
security-advisories@github.comhttps://github.com/node-saml/xml-crypto/pull/301
security-advisories@github.comhttps://github.com/node-saml/xml-crypto/pull/445
security-advisories@github.comhttps://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v
security-advisories@github.comhttps://security.netapp.com/advisory/ntap-20240705-0003/
security-advisories@github.comhttps://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation
af854a3a-2127-422b-91ae-364da2661108https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000
af854a3a-2127-422b-91ae-364da2661108https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca
af854a3a-2127-422b-91ae-364da2661108https://github.com/node-saml/xml-crypto/pull/301
af854a3a-2127-422b-91ae-364da2661108https://github.com/node-saml/xml-crypto/pull/445
af854a3a-2127-422b-91ae-364da2661108https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240705-0003/
af854a3a-2127-422b-91ae-364da2661108https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation
Impacted products
Vendor Product Version
node-saml xml-crypto Version: >= 4.0.0, < 6.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:node_saml_project:xml_crypto:4.0.0:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "xml_crypto",
                  vendor: "node_saml_project",
                  versions: [
                     {
                        lessThan: "6.0.0",
                        status: "affected",
                        version: "4.0.0",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-32962",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-07-19T15:03:41.921164Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-07-19T15:09:38.365Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T02:27:52.348Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v",
               },
               {
                  name: "https://github.com/node-saml/xml-crypto/pull/301",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/node-saml/xml-crypto/pull/301",
               },
               {
                  name: "https://github.com/node-saml/xml-crypto/pull/445",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/node-saml/xml-crypto/pull/445",
               },
               {
                  name: "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000",
               },
               {
                  name: "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca",
               },
               {
                  name: "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20240705-0003/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "xml-crypto",
               vendor: "node-saml",
               versions: [
                  {
                     status: "affected",
                     version: ">= 4.0.0, < 6.0.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes.  An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 10,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-347",
                     description: "CWE-347: Improper Verification of Cryptographic Signature",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-07-05T16:05:57.815Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v",
            },
            {
               name: "https://github.com/node-saml/xml-crypto/pull/301",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/node-saml/xml-crypto/pull/301",
            },
            {
               name: "https://github.com/node-saml/xml-crypto/pull/445",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/node-saml/xml-crypto/pull/445",
            },
            {
               name: "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000",
            },
            {
               name: "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca",
            },
            {
               name: "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20240705-0003/",
            },
         ],
         source: {
            advisory: "GHSA-2xp3-57p7-qf4v",
            discovery: "UNKNOWN",
         },
         title: "XML signature verification bypass due improper verification of signature / signature spoofing",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-32962",
      datePublished: "2024-05-02T06:48:55.906Z",
      dateReserved: "2024-04-22T15:14:59.164Z",
      dateUpdated: "2025-02-13T17:52:18.895Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         descriptions: "[{\"lang\": \"en\", \"value\": \"xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes.  An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification.\"}, {\"lang\": \"es\", \"value\": \"xml-crypto es una librer\\u00eda de cifrado y firma digital xml para Node.js. En las versiones afectadas, la configuraci\\u00f3n predeterminada no verifica la autorizaci\\u00f3n del firmante, solo verifica la validez de la firma seg\\u00fan la secci\\u00f3n 3.2.2 de la especificaci\\u00f3n w3 xmldsig-core-20080610. Como tal, sin pasos de validaci\\u00f3n adicionales, la configuraci\\u00f3n predeterminada permite a un actor malintencionado volver a firmar un documento XML, colocar el certificado en un elemento `` y pasar las comprobaciones de validaci\\u00f3n predeterminadas `xml-crypto`. Como resultado, `xml-crypto` conf\\u00eda de forma predeterminada en cualquier certificado proporcionado a trav\\u00e9s de `` del documento XML firmado digitalmente. `xml-crypto` prefiere usar cualquier certificado proporcionado a trav\\u00e9s de `` del documento XML firmado digitalmente, incluso si la librer\\u00eda se configur\\u00f3 para usar un certificado espec\\u00edfico (`publicCert`) para fines de verificaci\\u00f3n de firma. Un atacante puede falsificar la verificaci\\u00f3n de la firma modificando el documento XML y reemplazando la firma existente con una firma generada con una clave privada maliciosa (creada por el atacante) y adjuntando el certificado de esa clave privada al elemento ``. Esta vulnerabilidad es una combinaci\\u00f3n de cambios introducidos en `4.0.0` en la solicitud de extracci\\u00f3n 301/compromiso `c2b83f98` y se ha solucionado en la versi\\u00f3n 6.0.0 con la solicitud de extracci\\u00f3n 445/compromiso `21201723d`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden verificar el certificado extra\\u00eddo a trav\\u00e9s de `getCertFromKeyInfo` con certificados confiables antes de aceptar los resultados de la validaci\\u00f3n o configurar `xml-crypto's getCertFromKeyInfo` en `() =&gt; undefinido`, forzando a `xml-crypto` a usar un m\\u00e9todo expl\\u00edcito configurar `publicCert` o `privateKey` para la verificaci\\u00f3n de firma.\"}]",
         id: "CVE-2024-32962",
         lastModified: "2024-11-21T09:16:07.340",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N\", \"baseScore\": 10.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.8}]}",
         published: "2024-05-02T07:15:21.420",
         references: "[{\"url\": \"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/pull/301\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/pull/445\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240705-0003/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/pull/301\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/pull/445\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240705-0003/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
         sourceIdentifier: "security-advisories@github.com",
         vulnStatus: "Awaiting Analysis",
         weaknesses: "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-347\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-32962\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-02T07:15:21.420\",\"lastModified\":\"2024-11-21T09:16:07.340\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes.  An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification.\"},{\"lang\":\"es\",\"value\":\"xml-crypto es una librería de cifrado y firma digital xml para Node.js. En las versiones afectadas, la configuración predeterminada no verifica la autorización del firmante, solo verifica la validez de la firma según la sección 3.2.2 de la especificación w3 xmldsig-core-20080610. Como tal, sin pasos de validación adicionales, la configuración predeterminada permite a un actor malintencionado volver a firmar un documento XML, colocar el certificado en un elemento `` y pasar las comprobaciones de validación predeterminadas `xml-crypto`. Como resultado, `xml-crypto` confía de forma predeterminada en cualquier certificado proporcionado a través de `` del documento XML firmado digitalmente. `xml-crypto` prefiere usar cualquier certificado proporcionado a través de `` del documento XML firmado digitalmente, incluso si la librería se configuró para usar un certificado específico (`publicCert`) para fines de verificación de firma. Un atacante puede falsificar la verificación de la firma modificando el documento XML y reemplazando la firma existente con una firma generada con una clave privada maliciosa (creada por el atacante) y adjuntando el certificado de esa clave privada al elemento ``. Esta vulnerabilidad es una combinación de cambios introducidos en `4.0.0` en la solicitud de extracción 301/compromiso `c2b83f98` y se ha solucionado en la versión 6.0.0 con la solicitud de extracción 445/compromiso `21201723d`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden verificar el certificado extraído a través de `getCertFromKeyInfo` con certificados confiables antes de aceptar los resultados de la validación o configurar `xml-crypto's getCertFromKeyInfo` en `() =&gt; undefinido`, forzando a `xml-crypto` a usar un método explícito configurar `publicCert` o `privateKey` para la verificación de firma.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"references\":[{\"url\":\"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/node-saml/xml-crypto/pull/301\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/node-saml/xml-crypto/pull/445\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240705-0003/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/node-saml/xml-crypto/pull/301\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/node-saml/xml-crypto/pull/445\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240705-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v\", \"name\": \"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/node-saml/xml-crypto/pull/301\", \"name\": \"https://github.com/node-saml/xml-crypto/pull/301\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/node-saml/xml-crypto/pull/445\", \"name\": \"https://github.com/node-saml/xml-crypto/pull/445\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000\", \"name\": \"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca\", \"name\": \"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation\", \"name\": \"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240705-0003/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:27:52.348Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32962\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-19T15:03:41.921164Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:node_saml_project:xml_crypto:4.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"node_saml_project\", \"product\": \"xml_crypto\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"6.0.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-19T15:09:22.381Z\"}}], \"cna\": {\"title\": \"XML signature verification bypass due improper verification of signature / signature spoofing\", \"source\": {\"advisory\": \"GHSA-2xp3-57p7-qf4v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"node-saml\", \"product\": \"xml-crypto\", \"versions\": [{\"status\": \"affected\", \"version\": \">= 4.0.0, < 6.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v\", \"name\": \"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/node-saml/xml-crypto/pull/301\", \"name\": \"https://github.com/node-saml/xml-crypto/pull/301\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/node-saml/xml-crypto/pull/445\", \"name\": \"https://github.com/node-saml/xml-crypto/pull/445\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000\", \"name\": \"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca\", \"name\": \"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation\", \"name\": \"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240705-0003/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes.  An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-347\", \"description\": \"CWE-347: Improper Verification of Cryptographic Signature\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-05T16:05:57.815Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-32962\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:52:18.895Z\", \"dateReserved\": \"2024-04-22T15:14:59.164Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-02T06:48:55.906Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.