Default Configuration Flaw Allows Signature Spoofing in xml-crypto Library
CVE-2024-32962

10CRITICAL

Key Information:

Vendor

Node-saml

Status
Xml-crypto
Vendor
CVE Published:
2 May 2024

What is CVE-2024-32962?

The vulnerability in the xml-crypto library for Node.js arises from the default configuration that fails to verify the authorization of the signer when validating digital signatures. This oversight enables malicious actors to manipulate XML documents and bypass signature checks simply by providing a maliciously-generated signature certificate within the element. Affected users are advised to upgrade to version 6.0.0 or later, which rectifies this issue. Until an upgrade is feasible, users can mitigate risk by validating the certificate extracted through the getCertFromKeyInfo function against trusted certificates or by configuring xml-crypto to explicitly use predefined public certificates, ensuring that only authorized signatures are accepted.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

xml-crypto >= 4.0.0, < 6.0.0

References

https://github.com/node-saml/xml-crypto/security/advisori...
x_refsource_CONFIRM
https://github.com/node-saml/xml-crypto/pull/301
x_refsource_MISC
https://github.com/node-saml/xml-crypto/pull/445
x_refsource_MISC

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.