data/reports: add GO-2023-1826.yaml

neild · neild · commit 14d0da162b75 · 2023-06-09T15:42:52.000Z
Aliases: CVE-2023-34205, GHSA-jqvr-j2vg-gjrv Fixes #1826 Change-Id: I606c4425b89f584061139bd6c4e87a81d45b49b5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501937 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/data/osv/GO-2023-1826.json b/data/osv/GO-2023-1826.json
@@ -0,0 +1,51 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-1826",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-34205",
+    "GHSA-jqvr-j2vg-gjrv"
+  ],
+  "details": "Signature validation canonicalizes the input XML document before validating the signature. Parsing the uncanonicalized and canonicalized forms can produce different results. An attacker can exploit this variation to bypass signature validation.\n\nUsers of signature validation must only parse the canonicalized form of the validated document. The Validator.Validate function does not return the canonical form, and cannot be used safely. Users should only use the Validator.ValidateReferences function and only parse the canonical form which it returns.\n\nThe Validator.Validate function was removed in github.com/moov-io/signedxml v1.1.0.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/moov-io/signedxml",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/moov-io/signedxml",
+            "symbols": [
+              "Validator.Validate"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/moov-io/signedxml/issues/23"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-1826"
+  }
+}
diff --git a/data/reports/GO-2023-1826.yaml b/data/reports/GO-2023-1826.yaml
@@ -0,0 +1,31 @@
+id: GO-2023-1826
+modules:
+    - module: github.com/moov-io/signedxml
+      versions:
+        - fixed: 1.1.0
+      vulnerable_at: 1.0.0
+      packages:
+        - package: github.com/moov-io/signedxml
+          symbols:
+            - Validator.Validate
+summary: Signature validation bypass in github.com/moov-io/signedxml
+description: |
+    Signature validation canonicalizes the input XML document before validating
+    the signature. Parsing the uncanonicalized and canonicalized forms can
+    produce different results. An attacker can exploit this variation to
+    bypass signature validation.
+
+    Users of signature validation must only parse the canonicalized form of the
+    validated document. The Validator.Validate function does not return the
+    canonical form, and cannot be used safely. Users should only use the
+    Validator.ValidateReferences function and only parse the canonical form
+    which it returns.
+
+    The Validator.Validate function was removed in
+    github.com/moov-io/signedxml v1.1.0.
+cves:
+    - CVE-2023-34205
+ghsas:
+    - GHSA-jqvr-j2vg-gjrv
+references:
+    - report: https://github.com/moov-io/signedxml/issues/23
