Goxmldsig Project: >> Goxmldsig Security Vulnerabilities
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0
CVSS Score
5.3
EPSS Score
0.002
Published
2020-09-29
This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-08-23