CVE-2023-49087
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2023-49087 affects the xml-security library, which is used for XML signatures and encryption. The vulnerability lies in the verification process of an XML signature, where the hash value of an XML-document is compared to a DigestValue-value, and the cryptographic signature on the SignedInfo-tree is matched against a trusted public key. An attacker who can manipulate the canonicalized version's DigestValue through a bug in PHP's canonicalization function can forge a signature, allowing unauthorized access or data modification. This issue has been addressed in versions 1.6.12 and 5.0.0-alpha.13.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Vendors
- Simplesamlphp
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions