CVE-2019-3465

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
References
Link Resource
https://www.debian.org/security/2019/dsa-4560 Third Party Advisory
https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5 Patch
https://seclists.org/bugtraq/2019/Nov/8 Issue Tracking Mailing List
https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html Mailing List Third Party Advisory
https://simplesamlphp.org/security/201911-01 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/
https://www.tenable.com/security/tns-2019-09
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/
Configurations

Configuration 1

cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*
cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*
cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*

Information

Published : 2019-11-07 08:15

Updated : 2020-08-24 05:37


NVD link : CVE-2019-3465

Mitre link : CVE-2019-3465

Products Affected
No products.
CWE
CWE-347

Improper Verification of Cryptographic Signature